Iranian hacking group has launched more than 30 than hacking campaigns

Iranian hacking group has launched more than 30 than hacking campaigns

16. September 2022 0 By Horst Buchwald

Iranian hacking group has launched more than 30 than hacking campaigns

Washington, Sept. 16, 2022

Iranian hacking groups, apparently backed by the state, have come under increasing scrutiny recently. The latest action to date is attributed to a threat actor known as APTR42. Western cybersecuritsy experts believe that the Iranians have currently launched over 30 hacking campaigns since 2015.

The Iranian hackers have targeted numerous governments and organizations in Asia. This hacking campaign has been active since early 2021. It targets finance, aerospace, defense, IT, and telecommunications.

The hackers use DLL side-loading as a threat vector. This method exploits vulnerabilities in Windows systems by tricking them into opening malicious files instead of safe files.

Targets are hit by malware capable of bypassing security protocols in addition to launching DLL attacks remote access Trojans.

In addition to the DLL Windows vulnerability, threat actors exploit another Windows vulnerability known as ProxyLogon server vulnerability. This flaw allows hackers to gain remote access privileges by impersonating the administrator of the target device.

Iranian hackers are believed to have recently penetrated Albania and brought down the national digital document infrastructure, E-Albania. State-backed hackers also penetrated the country’s digital border control system, called TIMS.

As a result, Albania severed diplomatic relations with the country, while the U.S. imposed sanctions. The Iranian government has denied being involved in the hacking campaign.

According to the researchers, the group is strengthened by the Iranian government’s support.

APT42 is also believed to be working with APT35, a threat actor known for infiltrating HBO and numerous government officials.

The group uses social hacking to gain access to credentials. This method allows the group to avoid detection by penetrating systems with brute-force attacks. APT42 members are believed to pose as journalists to gain credibility.

The threat actor uses Android malware such as Vinethorn. This malware can gain access to microphones, chat histories, media galleries, etc.

Just a few days ago, the US announced new sanctions against Iran as the country launched numerous attacks against US allies, including a cyberattack on Albania. This hacking campaign crippled E-Albania, the country’s national digital document infrastructure.

Albania severed all diplomatic relations with Iran as a result of this attack.

Iranian hackers are believed to have the most ransomware tools in 2021 The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) indicted and sanctioned Iran’s Ministry of Intelligence and Security (MOIS) on Sept. 9 for engaging in cyber activities against the United States and its allies. The explanatory memorandum states:

Since at least 2007, MOIS and its cyber actors have conducted malicious cyber operations targeting a range of government and private organizations around the world and in various critical infrastructure sectors. In July 2022, cyber threat actors assessed to be sponsored by the Iranian government and MOIS brought down the Albanian government’s computer systems, forcing the government to suspend online public services to its citizens.

Treasury Undersecretary for Terrorism and Financial Crimes Brian E. Nelson pointed out in a statement that “the Iranian cyberattack on Albania violates the norms for responsible peacetime government conduct in cyberspace , which include the norm of not damaging critical infrastructure that provides services to the public,” he said. He then clarified, “We will not tolerate Iran’s increasingly aggressive cyber activities directed at the United States or our allies and partners.”


OFAC provided further details on the MOIS: According to the report, the group is led by Esmail Khatib. The latter reportedly engaged in cyber espionage and ransomware attacks with multiple networks of cyber threat actors in support of Iran’s political goals.

It said MOIS cyber actors not only conducted malicious cyber activities, but were also responsible for leaking documents purportedly from the Albanian government and personal data of Albanian citizens.

Further, OFAC’s statement said : “Earlier this year, the United States identified an advanced persistent threats (APT) actor group known as MuddyWater as a subordinate element within MOIS that has been conducting broad cyber campaigns in support of the organization’s objectives since approximately 2018. MuddyWater actors are known to exploit publicly reported vulnerabilities to gain access to sensitive data on victims’ systems, deploy ransomware, and disrupt the operations of private organizations. As recently as November 2021, MuddyWater was found to be involved in a cyber campaign targeting Turkish government agencies, transmitting documents containing malware likely via spearphishing emails to gain access to victims’ systems.

APT39, which was designated by OFAC on September 17, 2020, as being in possession or control of MOIS pursuant to E.O. 13553, is another cyber espionage group that Iran has used to further its malicious goals. APT39 has stolen personal data on a large scale, likely to support surveillance activities that enable Iran’s human rights abuses. Concurrent with the U.S. designation of APT39 and the Iranian government-founded Rana Intelligence Computing Company, the Federal Bureau of Investigation uncovered MOIS’s years-long malware campaign that targeted and monitored Iranian citizens, dissidents, and journalists, as well as a number of foreign organizations, including at least 15 U.S. companies.

MOIS is designated today pursuant to E.O. 13694, as amended, for being directly or indirectly responsible for or engaged in cyber-based activities that are reasonably likely to result in, or have substantially contributed to, a significant threat to the national security of the United States and that have the purpose or effect of significantly disrupting the availability of a computer or computer network.

Esmail Khatib is today designated pursuant to E.O. 13694, as amended, for acting or purporting to act, directly or indirectly, for or on behalf of the MOIS.”


The sanctions include: all assets and interests in assets of Khatib , subject to U.S. jurisdiction, will be blocked. “U.S. persons are generally prohibited from doing business with them. In addition, all companies that are 50 percent or more owned by one or more designated persons will also be blocked. All transactions by U.S. persons or within the United States (or in transit through the United States) involving property or interests in property of designated or otherwise blocked persons are prohibited unless authorized by or exempted from a general or specific license issued by OFAC. These prohibitions include making contributions or providing funds, goods, or services by, to, or for the benefit of blocked persons, and receiving contributions or providing funds, goods, or services from such persons.

In addition, non-U.S. persons engaging in certain transactions with the persons designated today may themselves be affected by the designation. In addition, any foreign financial institution that knowingly conducts or facilitates a significant transaction for or on behalf of today’s designated persons could be subject to U.S. sanctions for correspondent or pass-through accounts.”

A one-stop shop aggregating tools and resources from multiple federal agencies , which can be used to protect anyone from ransomware, is available at this site:

Hits: 0