Azerbaijan is also under threat: U.S. intelligence agencies warn of new cyberattacks

By the News.Az Team

In August 2024, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3) issued a joint Cybersecurity Advisory (CSA), warning of ongoing cyberattacks by Iranian cybercriminals . These attacks target a wide range of organizations, including those in the education, finance, healthcare, and defense sectors, as well as local governments in the United States and several other countries, such as Israel, Azerbaijan, and the United Arab Emirates.

According to the FBI’s assessment, Iranian cybercriminals aim to conduct multi-faceted attacks that involve both stealing sensitive information and engaging in ransomware operations. The primary objective of these activities is to gain and expand network access to critical information resources, which can then be exploited in collaboration with ransomware affiliates. This strategy allows cybercriminals to deploy ransomware and encrypt victims' data, reflecting a high level of organization and coordination among various cybercriminal groups operating on a global scale.

One of the key motives behind these attacks is to support Iran's geopolitical interests. The FBI and CISA indicate that the cyberattacks are aimed at countries and organizations that align with the foreign policy interests and objectives of the Iranian government. This includes stealing strategic information from networks related to defense and national security in the U.S., Israel, Azerbaijan, and the UAE. Such actions demonstrate a comprehensive approach by Iran to use cyberspace as a tool of statecraft.

Iranian cybercriminals show a high degree of adaptability and technical sophistication. Their methods are constantly evolving, taking into account changing conditions and defensive measures. Recent attacks have involved exploiting new vulnerabilities, such as CVE-2024-24919 and CVE-2024-3400, in systems used by major organizations worldwide. These vulnerabilities allow attackers to infiltrate corporate networks and establish control over critical systems.

Moreover, the attackers actively employ various techniques, such as exploiting vulnerable VPN connections and security systems, to gain initial access to networks. They also deploy malicious web shells and backdoors, ensuring continuous access and control over the victims’ systems. The creation of fake user accounts with administrative rights and the use of DLL side-loading techniques to bypass security mechanisms are just a few of the methods employed.

The FBI and other U.S. intelligence agencies are confident that the activities of Iranian cybercriminals are not only aligned with government interests but are also actively supported by the Iranian government. This support may come in the form of resources and intelligence, as well as direct engagement with Iranian state structures. The cyberattacks, aimed at stealing sensitive information and undermining economic and political stability in Iran’s adversaries, clearly demonstrate an intent to use cyberspace as a battleground for strategic confrontation.

At the same time, certain aspects of their activities, such as ransomware operations, may not be directly sanctioned by the government. This is because the criminals are wary of possible monitoring of their cryptocurrency transactions and are keen to minimize the risks associated with exposing their links to official structures. The use of the company Danesh Novin Sahand as a cover also indicates a desire to conceal their true affiliations and intentions.



The Iranian cybercriminal group, known by various aliases such as Pioneer Kitten, Fox Kitten, UNC757, Parisite, RUBIDIUM, and Lemon Sandstorm, began its active operations in 2017. Over the years, they have carried out numerous successful attacks, demonstrating not only a high level of technical capability but also a readiness to adapt and expand their arsenal. Their methods and tactics have undergone significant changes, allowing them to remain relevant and dangerous players on the global cybercrime stage.

The Pay2Key campaign in 2020 was a striking example of their ability to combine cybercriminal activities with elements of information warfare. The attackers not only compromised their victims’ systems but also used the stolen data to influence public opinion and exert pressure on Israel's government structures. This highlights their capacity to conduct multi-layered operations aimed at both direct profit and achieving broader strategic goals.

In response to the threat posed by Iranian cybercriminals, the FBI and CISA have provided several recommendations for mitigating the impact of these attacks. First and foremost, organizations need to update software and security systems to the latest versions to close known vulnerabilities. It is also crucial to conduct regular security audits, monitor networks for unusual activity, and educate staff on cybersecurity best practices.

The FBI further recommends that organizations implement multi-factor authentication, restrict access to critical systems, and use encryption technologies to protect data. In case of suspected system compromise, it is advised to immediately contact cybersecurity experts and notify the appropriate law enforcement agencies to conduct investigations and minimize damage.

Cyberattacks from Iranian criminals pose a serious threat to global security and require coordinated actions at the international level. The need for cooperation between countries, organizations, and the private sector is becoming increasingly apparent, as only joint efforts can effectively counter the growing threat of cybercrime. Modern realities demand enhanced security measures and the development of new strategies to counter such cyberattacks, ensuring the safety of information systems and the protection of sensitive data in the digital age.

News.Az