UK and US issue warning on Iranian state-backed cyber threats

NCSC and FBI send joint advisory

Attackers working on behalf of Iran’s Islamic Revolutionary Guard Corps are using social engineering to gain access to victims’ online accounts

The National Cyber Security Centre (NCSC) has issued a warning about the ongoing threat from spear-phishing attacks carried out by cyber actors working on behalf of the Iranian government.

In a joint advisory with the FBI, the NCSC says cyber attackers are working on behalf of Iran’s Islamic Revolutionary Guard Corps (IRGC) and using social engineering techniques to gain access to victims’ personal and business accounts online.

The malicious activity is targeted against individuals with a nexus to Iranian and Middle Eastern affairs, such as current and former senior government officials, senior think tank personnel, journalists, activists and lobbyists. The US has also observed targeting of persons associated with US political campaigns.

Impersonating contacts over email

The advisory says the actors have often been observed impersonating contacts over email and messaging platforms, building a rapport with targets before soliciting them to share user credentials via a false email account login page. The actors can then gain access to victims’ accounts, exfiltrate and delete messages and set up email forwarding rules.

Paul Chichester, NCSC Director of Operations, says: “The spear-phishing attacks undertaken by actors working on behalf of the Iranian government pose a persistent threat to individuals with a connection to Iranian and Middle Eastern affairs.”

The advisory says the attackers often obtain victims’ credentials by soliciting them to access a document via a hyperlink which redirects them to the false login page.

The actors are known to tailor their social engineering techniques to include areas of interest or relevance to their targets, with approaches including impersonation of family members, well-known journalists, discussion of foreign policy topics and invitations to conferences. In some cases, the actors might impersonate email service providers to obtain sensitive user security information.

Foreign terrorist organisation

In 2019, the US Department of State designated the IRGC as a foreign terrorist organisation that aimed to steal US policy information and weaken confidence in the country's electoral processes.

Alongside the most recent joint alert, the FBI also said that it had indicted three IRGC cyber actors for a 'hack-and-leak' operation which stole material from the Trump presidential campaign and leaked it to the Democratic campaign in an attempt to influence the upcoming presidential election.

FBI Director Christopher Wray said in a statement: “The FBI would like to send a message to the government of Iran: You and your hackers can't hide behind your keyboards. If you try to meddle in our elections, we're going to hold you accountable. If you try to attack our infrastructure or commit violence against our citizens, we're going to disrupt you.

“And as long as you keep attempting to flout the rule of law, you're going to keep running into the FBI, because we're going to leverage all of our partnerships and use every tool at our disposal to protect the American people and defend our democracy.”