Iran State-Sponsored Cyber Threat: Advisories
As the nation's cyber defense agency and national coordinator for critical infrastructure, CISA provides resources—including cybersecurity advisories written in coordination with partners—to help stakeholders build resilience against nation-state actors and other cyber threats.
Table 1: CISA and Joint CISA Advisories
Publication Date | Title | Description |
---|---|---|
October 16, 2024 | Iranian Cyber Actors Brute Force and Credential Access Activity Compromises Critical Infrastructure | CISA, FBI, NSA, and international partners released this joint Cybersecurity Advisory providing known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) used by Iranian actors to impact organizations across multiple critical infrastructure sectors. |
October 8, 2024 | How to Protect Against Iranian Targeting of Accounts Associated with National Political Organizations | This fact sheet provides an overview of threat actors affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC) targeting and compromising American accounts, specifically individuals and organizations associated with national political organizations, to undermine confidence in U.S. democratic institutions. |
August 28, 2024 | Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations | FBI, CISA, and DC3 released this joint Cybersecurity Advisory to warn network defenders that, as of August 2024, a group of Iran-based cyber actors continues to exploit U.S. and foreign organizations. This includes organizations across several sectors in the U.S. (including in the education, finance, healthcare, and defense sectors as well as local government entities) and other countries (including in Israel, Azerbaijan, and the United Arab Emirates). |
December 1, 2023 | IRGC-Affiliated Cyber Actors Exploit PLCs in Multiple Sectors, Including U.S. Water and Wastewater Systems Facilities | CISA, FBI, NSA, EPA, and the Israel National Cyber Directorate (INCD) released a CSA to highlight continued malicious cyber activity against operational technology devices by Iranian Government Islamic Revolutionary Guard Corps (IRGC)-affiliated APT cyber actors. |
November 16, 2022 | CISA and FBI released a joint CSA about an incident at an FCEB organization in which Iranian government-sponsored APT actors exploited a Log4Shell vulnerability in an unpatched VMware Horizon server. This advisory includes a MAR on the mining software that the APT actors used against the compromised FCEB network. | |
September 23, 2022 | Iranian State Actors Conduct Cyber Operations Against the Government of Albania | FBI and CISA have released this joint Cybersecurity Advisory to provide information on recent cyber operations against the Government of Albania in July and September, 2022. This advisory provides a timeline of activity observed, from initial access to execution of encryption and wiper attacks. |
September 14, 2022 | Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations | FBI, CISA, NSA, USCC, CNMF, the Treasury, ACSC, CCCS, and the NCSC highlights continued malicious cyber activity by advanced persistent threat (APT) actors that the authoring agencies assess are affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC). |
February 24, 2022 | CISA, FBI, CNMF, NCSC-UK, NSA Malware Analysis Report: MAR–10369127–1.v1 – MuddyWater | CISA, FBI, FNMF, NCSC-UK, and NSA have released a joint MAR providing detailed analysis of 23 files identified as MuddyWater tools. |
February 24, 2022 | CISA-FBI-CNMF-NCSC-UK-NSA Joint Cybersecurity Advisory: Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks | CISA, FBI, CNMF, NCSC-UK, and NSA have released a joint Cybersecurity Advisory highlighting a group of Iranian government-sponsored advanced persistent threat (APT) actors, known as MuddyWater, conducting cyber espionage and other malicious cyber operations targeting a range of government and private-sector organizations across sectors in Asia, Africa, Europe, and North America. |
November 17, 2021 | CISA-FBI-ACSC-NCSC Joint Cybersecurity Advisory: Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities | CISA, FBI, ACSC, and NCSC have released a joint CSA on Iranian government-sponsored APT actors exploiting Microsoft Exchange and Fortinet vulnerabilities to gain initial access in advance of follow-on operations. The Iranian government-sponsored APT actors are actively targeting a broad range of multiple U.S. critical infrastructure sectors as well as Australian organizations. |
July 20, 2021 | JSAR-12-241-01B: Shamoon/DistTrack Malware (Update B) | U.S. Government attributed previously published activity targeting industrial control systems to Iranian nation-state cyber actors. |
October 30, 2020 | CISA and FBI Joint Cybersecurity Advisory: Iranian Advanced Persistent Threat Actor Identified Obtaining Voter Registration Data | CISA and FBI released a Joint CSA on an Iranian APT actor targeting U.S. state websites, including elections websites, to obtain voter registration data. The Advisory provides indicators of compromise (IOCs) and recommended mitigations for affected entities. |
October 22, 2020 | CISA-FBI Joint Cybersecurity Advisory: Iranian Advanced Persistent Threat Actors Threaten Election-Related System | CISA and FBI released an Advisory warning about Iranian APT actors likely intent on influencing and interfering with the 2020 U.S. elections to sow discord among voters and undermine public confidence in the U.S. electoral process. |
September 15, 2020 | CISA-FBI Joint Cybersecurity Advisory: Iran-Based Threat Actor Exploits VPN Vulnerabilities | CISA and FBI released a Joint CSA on an Iran-based malicious cyber actor targeting several U.S. federal agencies and other U.S.-based networks. The Advisory analyzes the threat actor’s tactics, techniques, and procedures (TTPs); IOCs; and exploited Common Vulnerabilities and Exposures. The MAR details the functionality of malicious files—including multiple components of the China Chopper Web Shell—used by Iranian-based malicious cyber actors. |
January 06, 2020 | CISA Alert: Potential for Iranian Cyber Response to U.S. Military Strike in Baghdad | In light of heightened tensions between the United States and Iran, CISA released an Alert and an “Insights” analysis providing Iranian government and affiliated cyber threat actor TTPs and an overview of Iran’s cyber threat profile, respectively. |