CISA: Joint Cybersecurity Advisory on Iranian Government-Sponsored APT Cyber Activity


On Wednesday, November 17, the CISA, the FBI, the United Kingdom National Cyber Security Centre (NCSC), and the Australian Cyber Security Centre (ACSC) released a Joint Cybersecurity Advisory, Iranian State-Sponsored advanced persistent threat (APT) Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities.

The Iranian government-sponsored APT actors are actively targeting a broad range of victims, affecting multiple critical infrastructure sectors, including the Transportation Sector and the Healthcare and Public Health Sector. FBI, NCSC, ACSC, and CISA assess the actors are focused on exploiting known vulnerabilities rather than targeting specific sectors. Access gained by these Iranian Government-sponsored APT actors can be leveraged for follow-on operations such as data exfiltration or encryption, ransomware, and extortion.

This advisory provides observed tactics and techniques, as well as indicators of compromise (IOCs) that are likely associated with this Iranian government-sponsored APT activity. The FBI, NCSC, ACSC, and CISA urge critical infrastructure organizations to apply the recommended mitigations to reduce the risk of compromise from this APT activity.

CISA, the FBI, NCSC, and ACSC are asking organizations to take the following immediate actions to protect against this malicious cyber activity:

  • Immediately patch software affected by the following vulnerabilities: CVE-2021-34473, 2018-13379, 2020-12812, and 2019-5591;
  • Implement Multi-Factor Authentication; and
  • Use Strong, Unique Passwords.

This advisory about the active exploitation of known vulnerabilities by nation-state actors underscores the importance CISA’s Binding Operational Directive 22-01, and the urgency for public and private sector to prioritize remediation of known exploited vulnerabilities in a timely manner.

For more information on Iranian sponsored activity, see our webpage on Iran Cyber Threat Overview and Advisories.

Steve Lyddon
Protective Security Advisor, Region 5, Illinois
Cybersecurity and Infrastructure Security Agency
U.S. Department of Homeland Security
Cell:  217-299-3954 |