Iranian hackers have searched cybercriminal websites for sensitive data stolen from American and foreign organizations that could be useful in future efforts to hack those organizations, the FBI said in an advisory sent to US companies obtained by CNN.
The Iranian hackers have taken an interest in dark-web forums, where scammers leak information on their victims such as stolen emails and network configurations, according to the November 8 advisory. The FBI is concerned that the Iranian hacking group could use that information to plot ways into US corporate networks in the future.
The FBI warning underscores how various computer operatives — some motivated by espionage or other government requirements, others by profit — can exploit the cybercriminal underworld for their own purposes. While the Biden administration wages a crackdown against ransomware, some criminal groups continue to publish data about their victims to pressure them into paying money to unlock their computers.
“If your organization’s information was previously compromised, the FBI recommends considering how any data exfiltrated could be leveraged to conduct further malicious activity against your network.” says the FBI bulletin, which advises companies on how to prepare for follow-on hacks.
Bleeping Computer, a cybersecurity news outlet, was first to report on the FBI analysis.
CNN has requested comment from the FBI on the advisory. The bureau regularly sends private alerts to US organizations about ongoing hacking threats.
It is unclear which Iranian hacking group is behind the activity. The FBI did not identify the hackers by name or say if they are linked to the Iranian government.
Adam Meyers, senior vice president of intelligence at security firm CrowdStrike, said that Iranian government-linked hackers have increasingly dabbled in cybercriminal activity, such as ransomware, as a means of blurring the lines between state and non-state cyber operations.
“It is well within (Iranian groups’) modus operandi to purchase access to networks held by a criminal group if it serves their interests,” Meyers told CNN.
One suspected Iranian group posed as ransomware operators while conducting disruptive hacks of Israeli organizations this year, according to SentinelOne, another cybersecurity firm.
While analysts often list Iran after Russia and China in terms of cyber capabilities, Tehran still has an array of hacking teams it can draw on to try to infiltrate US corporate and government networks.
US intelligence officials blamed Iranian hackers for posing as the Proud Boys, a far-right US group, and sending threatening emails to American voters ahead of the 2020 election.