Iranian-backed hackers will increasingly carry out ransomware and encryption-based cyberattacks targeting U.S. and Israeli organizations, even as nuclear negotiations continue. And if those talks break down, Iran will be incentivized to launch more disruptive attacks. An Iranian threat actor, dubbed DEV-0270, was behind a ransomware attack against U.S.-based Cox Media Group over the summer, The Record reported Dec. 29 without providing a source. Live streams from Cox’s television and radio stations went down on June 3, which the company confirmed in October was caused by a ransomware attack. Iran’s involvement in the Cox incident, however, had not been widely reported until now, and follows months of warnings from both Microsoft and the U.S. government that Iranian threat actors are increasingly using ransomware in their attacks.

“DEV-####” is a temporary naming convention that the Microsoft Threat Intelligence Center (MSTIC) uses to identify emerging clusters of cyber activity until it reaches a high confidence about the origin or identity of the threat actor before giving it a permanent name, suggesting The Record’s information came from Microsoft.

In its October 2021 Microsoft Digital Defense Report, Microsoft said in a footnote that DEV-0270 compromised Cox Media Group on May 17 and attributed the group to Iran.

At CyberWarCon in November, MSTIC researchers said DEV-0270 was closely associated with the known Iranian threat actor Phosphorous (also widely known as APT35 and Charming Kitten). In subsequent publications, MSTIC said that since September 2020, it had observed six Iranian threat actors, including Phosphorus, using ransomware in attacks aimed at further achieving Iran’s strategic objectives.

On Nov. 17, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC) and the United Kingdom’s National Cyber Security Centre (NCSC) issued a joint cybersecurity alert saying an unnamed Iranian threat actor was deploying ransomware attacks against U.S. and Australian organizations, and had also exploited known vulnerabilities in Microsoft Exchange's ProxyShell and U.S. security company Fortinet's FortiOS to help encrypt files using Windows’ Bitlocker encryption tool. Although the alert did not name the group behind these attacks, the tools and techniques the agencies said the group used are consistent with MSTIC’s analysis of Phosphorus ransomware attacks.

Ransomware and other disruptive cyberattacks involving encryption give Iran a way to strike back at the United States and Israel as a part of its asymmetric national security strategy, similar to Iranian attacks on Israeli maritime traffic and Middle Eastern energy infrastructure. The physical threats Iran poses to U.S. interests are largely limited to local attacks, including drone and rocket strikes against U.S. forces in Iraq, as well as U.S. regional partners (like Israel, Saudi Arabia and Bahrain) and U.S. organizations in the broader Middle East. Iranian threat actors’ ability to target government entities and large high-profile organizations in the United States is the only way Tehran can directly threaten the U.S. mainland, making it an attractive strategy. Compared with rocket strikes that may kill U.S. military personnel, cyberattacks against organizations like Cox are also less likely to lead to a physical U.S. military response (as long as those cyberattacks don’t destroy critical infrastructure or cause civilian deaths). This gives Iran a large incentive to increasingly conduct ransomware and phishing attacks, as well as deploy data wipers and steal banking information, among other cyber warfare tactics.

MosesStaff, one of the six Iranian threat actors that MSTIC said was carrying out ransomware attacks, has even forgone ransom demands in some of its attacks targeting Israeli organizations and used data encryption that occurs in a ransomware attack as a disruptive tool. MosesStaff has openly stated it was “expos[ing] the crimes of the Zionists in the occupied territories." With disruption (and not monetary gain) as Iran’s ultimate end goal of cyberattacks, other Iranian threat actors may not even bother with ransoms and, if they are paid ransoms, may not care about the quality of the decrypters they give their victims.

Iran’s high appetite for risk when carrying out its asymmetric national security strategy raises the potential for disruptive and/or destructive cyberattacks against U.S. and Middle Eastern organizations. The Iranian-backed drone and missile strikes against Saudi Arabia’s Abqaiq oil processing facility — one of the most important oil and gas facilities in the world — in 2019 showcased the level of risk Tehran was willing to take on in order to achieve its strategic goals. Iran has also been connected to several attacks against Middle Eastern oil tankers in recent years, along with several potentially destructive attempted cyber attacks against Israel. In April 2020, an Iranian threat actor hacked into an Israeli water treatment facility and tried to raise the chlorine levels in the water supply to dangerous levels, although the attack was discovered before doing so. Iranian threat actors have also repeatedly deployed variants of the Shamoon computer virus targeting organizations in the Middle East, including a 2012 attack that wiped the data off more than 30,000 computer systems owned by Saudi Arabia’s state-owned oil giant Saudi Aramco.

If ongoing nuclear negotiations fall apart, Iranian threat actors will likely become more aggressive and take more risks when carrying out disruptive cyber campaigns. The eighth round of nuclear negotiations between Iran and other global powers began on Dec. 27, but multiple U.S. officials have accused Iran of dragging its feet in negotiations under the country’s new conservative president, Ebrahim Raisi. The negotiations are still most likely to yield a limited agreement in which the United States lifts some sanctions on Iran in exchange for Tehran scaling back its nuclear activity. But the risk of talks collapsing without a deal is steadily increasing — especially if breakthroughs are not made over the next few weeks. Amid Iran’s uptick in nuclear enrichment activities and installation of more advanced centrifuges, U.S. and Israeli officials have warned that the JCPOA talks may only have “weeks” and not “months” to make progress before the two countries take other actions against Tehran, which could include increased covert activity against Iran’s nuclear program. Such action would prompt Iran’s Islamic Revolutionary Guard Corps and Ministry of Intelligence — the two entities in Iran behind its offensive cyber policy — to call for and likely ultimately launch more disruptive cyberattacks directed at both Israel and the United States.

Iranian attacks that either directly or indirectly disrupt U.S. critical infrastructure sectors, in particular, are a distinct possibility. Iranian threat actors have invested heavily in developing capabilities to target industrial control systems of critical infrastructure to carry out its attacks, similar to the attempted attack on the Israeli water treatment plant. Although Iranian threat actors may not be as sophisticated as Chinese and Russian nation-state threat actors, their willingness to disrupt U.S. critical infrastructure is currently higher. Chinese and Russian hackers certainly hack into U.S. critical infrastructure, carry out reconnaissance activities and preposition malware for potential use in the future. But compared with Tehran, neither Beijing nor Moscow are as likely to disrupt critical parts of the U.S. economy. Even the May 2021 attack by Russian hackers (who were not directly linked to the Kremlin) against the Texas-based firm Colonial Pipeline wasn’t intended to disrupt the pipeline’s activities, despite doing so. Nevertheless, Iran will see the Colonial Pipeline attack as proof that ransomware and encryption attacks don’t even need to directly target industrial control systems to be highly disruptive. Indeed, for Tehran, indirectly forcing critical services offline in the event of a ransomware attack would likely be viewed as a positive externality — making ransomware and attacks involving encryption against government and non-government organizations managing critical infrastructure even more attractive.

Historically, operational technology (OT) networks have been segmented away from the internet and air-gapped from the information technology networks that ransomware groups are gaining access to. But that segmentation is increasingly being blurred as businesses try to incorporate automated billing systems and use smart technologies and IoT devices on the manufacturing floor and in industrial applications.