Joint cyber security advisory on Iranian Islamic Revolutionary Guard Corps-affiliated cyber actors exploiting vulnerabilities for data extortion and ransom operations

September 14, 2022

CSE’s Canadian Centre for Cyber Security (Cyber Centre) joined cyber security partners from the United Kingdom’s National Cyber Security Centre (NCSC-UK), the Australian Cyber Security Centre (ACSC), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), U.S. Cyber Command Cyber National Mission Force (CNMF), the Department of the Treasury (DoT), and the Federal Bureau of Investigation (FBI) in issuing a joint Cybersecurity Advisory (CSA) to highlight continued malicious cyber activity by an advanced persistent threat (APT) actors that the authoring agencies assess are associated with the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC).

This advisory updates a previous joint CSA from November 2021, which provides information on Iranian government-sponsored APT actors exploiting known Fortinet® and Microsoft Exchange® vulnerabilities to gain initial access to a broad range of victims in furtherance of malicious activities, including ransom operations. The authoring agencies now judge these actors are an APT affiliated with the IRGC, and that some of the activity is for the actors’ personal profit.

Today’s advisory includes observed tactics and techniques, as well as indicators of compromise (IOCs), that the cybersecurity agencies of Canada, the UK, U.S., and Australia assess are likely associated with this IRGC-affiliated activity. The authoring agencies urge organizations, especially critical infrastructure organizations, to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from these cyber actors affiliated with the IRGC.

More information on this joint advisory.

Date modified: