美联社
档案-在这张2015年2月25日的档案照片中,国土安全部总部...
华盛顿——根据美国、英国和澳大利亚官员周三发布的一份咨询报告,与伊朗政府有关联的黑客一直以美国境内的“广泛受害者”为目标,包括部署勒索软件。
该咨询称,最近几个月,伊朗利用了黑客暴露的计算机漏洞,在这些漏洞被修复并锁定为网络中的实体之前运输,卫生保健和公共卫生部门。根据该建议,攻击者利用最初的黑客攻击进行额外的操作,如数据过滤、勒索和勒索。官方称,该组织在澳大利亚使用了相同的微软交换漏洞。
这一警告值得注意,因为尽管勒索软件攻击在美国仍然很普遍,但过去一年中的大部分重大攻击都被归咎于总部位于俄罗斯的犯罪黑客团伙,而不是伊朗黑客。
政府官员并不是唯一注意到伊朗活动的人:科技巨头微软周二宣布,自去年以来,它已经看到伊朗有六个不同的团体在部署软件。
微软表示,其中一个组织花费大量时间和精力试图与目标受害者建立融洽的关系,然后用鱼叉式网络钓鱼攻击他们。微软表示,该组织使用虚假的会议邀请或采访请求,并经常伪装成华盛顿智库的官员作为掩护。
微软威胁情报中心的成员詹姆斯·埃利奥特(James Elliott)说,一旦建立了融洽的关系并发送了恶意链接,伊朗人就会更加急于让他们的受害者点击它。
“这些家伙是后方最大的痛点。每两个小时他们就会发送一封电子邮件,”埃利奥特在周二的赛博沃康网络安全会议上说。
今年早些时候脸谱网宣布发现伊朗黑客使用“复杂的假在线角色”与目标建立信任,并让他们点击恶意链接,并经常冒充国防和航空航天公司的招聘人员。
Crowdstrike网络安全公司的研究人员说,他们和竞争对手从去年开始看到伊朗的这种活动。
Crowdstrike的研究人员在Cyberwarcon活动上表示,与朝鲜政府发起的攻击不同,伊朗的勒索软件攻击与其说是为了创收,不如说是为了间谍活动、散布虚假信息、骚扰和为难敌人——以色列是其中的主要敌人——以及从本质上削弱他们的目标。
Crowdstrike全球威胁分析主管凯蒂·布兰肯希普(Katie Blankenship)表示:“虽然这些行动将使用赎金票据和要求硬密码货币的专用泄露网站,但我们真的看不到在实际货币生成方面有任何可行的努力。
Crowdstrike认为伊朗是这种新颖的“低级形式”网络攻击的引领者,这种攻击通常包括用勒索软件瘫痪网络,窃取信息,然后在网上泄露。研究人员称这种方法为“锁定和泄漏”。布兰肯希普说,它不那么显眼,成本更低,而且“为否认提供了更大的空间”。
———
苏德尔曼从弗吉尼亚州里士满报道,巴杰克从波士顿报道。
Iran-backed hackers accused of targeting critical US sectors
WASHINGTON -- Hackers linked to the Iranian government have been targeting a “broad range of victims” inside the United States, including by deploying ransomware, according to an advisory issued Wednesday by American, British and Australian officials.
The advisory says that in recent months, Iran has exploited computer vulnerabilities exposed by hackers before they can be fixed and targeted entities in thetransportation,health careand public health sectors. The attackers leveraged the initial hack for additional operations, such as data exfiltration, ransomware and extortion, according to the advisory. The group has used the same Microsoft Exchange vulnerability in Australia, officials say.
The warning is notable because even though ransomware attacks remain prevalent in the U.S., most of the significant ones in the past year have been attributed to Russia-based criminal hacker gangs rather than Iranian hackers.
Government officials aren't the only ones noticing the Iranian activity: Tech giant Microsoft announced Tuesday that it had seen six different groups in Iran deploying ransomware since last year.
Microsoft said one of the groups spends significant time and energy trying to build rapport with their intended victims before targeting them with spear-phishing campaigns. The group uses fake conference invitations or interview requests and frequently masquerade as officials at think tanks in Washington, D.C., as a cover, Microsoft said.
Once rapport is built and a malicious link is sent, the Iranians are extra pushy at trying to get their victims to click on it, said James Elliott, a member of the Microsoft Threat Intelligence Center.
“These guys are the biggest pain in the rear. Every two hours they’re sending an email,” Elliott said at the Cyberwarcon cybersecurity conference Tuesday.
Earlier this yearFacebookannounced it had found Iranian hackers using “sophisticated fake online personas” to build trust with targets and get them to click on malicious links and often posed as recruiters of defense and aerospace companies.
Researchers at the Crowdstrike cybersecurity firm said they and competitors began seeing this type of Iranian activity last year.
The Iranian ransomware attacks, unlike those sponsored by North Korea’s government, are not designed to generate revenue so much as for espionage, to sow disinformation, to harass and embarrass foes — Israel, chief among them —and to essentially wear down their targets, Crowdstrike researchers said at the Cyberwarcon event.
“While these operations will use ransom notes and dedicated leak sites demanding hard cryptocurrency, we’re really not seeing any viable effort at actual currency generation,” Crowdstrike global threat analysis director Katie Blankenship said.
Crowdstrike considers Iran to be the trendsetter in this novel “low form” of cyberattack, which typically involves paralyzing a network with ransomware, stealing information and then leaking it online. The researchers call the method “lock and leak.” It is less visible, less costly and “provides more room for deniability,” Blankenship said.
———
Suderman reported from Richmond, Virginia, and Bajak from Boston.