top of page

Increased cyber activity from Iran

Iran has been the focus of an increase in cyber activity recently, with the country facing threats from hacktivist groups internationally, as well as conducting offensive action through state-sponsored groups targeting organisations for the purpose of cyber espionage and ransomware extortion.

In November 2021, an advisory was released as part of a collaborative effort between the UK, the U.S., and Australia warning of Iranian state-sponsored advanced persistent threats (APT) found to be exploiting Fortinet and Microsoft Exchange ProxyShell vulnerabilities.

Once initial access was facilitated through the abuse of these vulnerabilities, there was evidence of cyber espionage and double extortion through the exfiltration and encryption of information.

On September 14, 2022, the same organisations (NCSC, CISA, FBI and ACSC) updated the threat posed by Iranian APTs with insights on their recent exploits.

The groups have added exploitation of Log4Shell (CVE-2021-44228) found within VMware Horizon to their capabilities which is being leveraged to gain access to networks.

It has been assessed by the NCSC et al, that the victim organisations have been chosen based upon the presence of Log4Shell/ProxyShell vulnerabilities and is not determined by sector or industry.

Conversely, Iran is currently experiencing civil unrest, which was sparked after the death and funeral of Mahsa Amini on the 16th and 17th of September.

Mahsa Amini died shortly after being arrested for failing to wear her hijab tightly in accordance with the Iranian regime.

Since her death, protestors have rallied within the country to dispute the restrictive laws that women in Iran face. These protests have been partnered with an international effort from hacktivist groups including Anonymous to bypass Iranian censorship and cause disruptions in support of the protestors.

At the time of writing, the BBC’s latest report states that almost 80 protestors have been killed by Iranian security forces.

Driven by this news, data breach and exfiltration groups have posted resources on forums, social media, and Telegram to help citizens share their protests with the rest of the world, demonstrating tools such as virtual private networks (VPNs), Tor and secure messaging applications.

More aggressive actions have seen the compromise and leaking of Iranian government information and denial of service attacks against both government organisations and state media outlets.

With the knowledge that APTs are seeking out targets vulnerable to Fortinet, Microsoft exchange servers or VMwarehorizon compromise, it is strongly encouraged that organisations check their estates for the presence of Fortinet vulnerabilities CVE-2018-13379, CVE-2020-12812, CVE-2019-5591, Log4Shell within VMware Horizon CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 and Microsoft Exchange server ProxyShell vulnerabilities CVE-2021-34473, CVE-2021-31196 and CVE-2021-31206.



Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).



The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page