FBI detects Iranian cyber criminals in US systems

WASHINGTON — The FBI has detected a group of hackers it believes are using dozens of IP addresses and hundreds of domains hosted in the United States to possibly attack enemies of the Iranian government.

A Cyber Division Flash bulletin indicates “a group of malicious cyber actors — likely located in Iran — use Virtual Private Server infrastructure hosted in the United States to compromise government, corporate and academic computer networks based in the Middle East, Europe and the United States.”

According to the document, released July 25, “the infrastructure is used in conjunction with identified malicious domains to support a broad cyber campaign; which likely includes the use of email spear phishing, social engineering and malicious websites. These cyber actors almost certainly have been involved in this activity since at least early 2015.”

The alert says that through a combination of FBI and private sector analysis, it is likely the perpetrators are located in Iran. And some victim information from the attacks have transited US-based infrastructure to reach IP addresses located in Iran.

Authorities have determined that at least one identified malicious domain was registered by a presumed Iranian national connected to a physical address in Tehran, Iran. The majority of the victims of the campaign were located in Middle Eastern countries known to be traditional adversaries of the Iranian regime.

The FBI has issued a list of recommended measures to mitigate the activity:

• Prepare an incident response plan to be rapidly implement in case of a cyber intrusion.
• Patch all systems for critical vulnerabilities, prioritizing timely patching of Internet-connected servers and software that process internet data such as web browsers, browser plug-ins and document readers.
• Scrutinize links contained in emails and do not open attachments included in unsolicited emails.
• Implement application white listing to block execution of malware, or at least block execution of files from TEMP directories, from where most malware attempts to execute.

The FBI urges those with information concerning suspicious or criminal activity to contact their local FBI field office or the FBI’s 24/7 Cyber Watch email. When available, each report submitted should include the date, time, location, type of activity, number of people, type of equipment used for the activity, the name of the submitting company or organization and a designated point of contact.

J.J. Green

JJ Green is WTOP's National Security Correspondent. He reports daily on security, intelligence, foreign policy, terrorism and cyber developments, and provides regular on-air and online analysis. He is also the host of two podcasts: Target USA and Colors: A Dialogue on Race in America.

Federal News Network Logo
Log in to your WTOP account for notifications and alerts customized for you.

Sign up