CISA Cybersecurity Alerts 9.15.22
Ep 30 | 9.15.22

CISA Alert AA22-257A – Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations.


This is a CISA Cybersecurity Alert. ID number Alpha Alpha Two Two tack Two Five Seven Alpha.

Original release date: September Fourteenth, twenty twenty two.

This joint Cybersecurity Advisory highlights continued malicious cyber activity by advanced persistent threat actors affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps.

The IRGC-affiliated actors are actively targeting a broad range of entities, including entities across multiple U.S. critical infrastructure sectors as well as Australian, Canadian, and United Kingdom organizations. These actors often operate under the auspices of Najee Technology Hooshmand Fater LLC, based in Karaj, Iran, and Afkar System Yazd Company, based in Yazd, Iran. The authoring agencies assess the actors are exploiting known vulnerabilities on unprotected networks rather than targeting specific entities or sectors.

The authoring agencies have observed the cyber actors scanning for and exploiting known vulnerabilities in Fortinet FortiOS, Microsoft Exchange server, ProxyShell, and Log4j to gain initial access to a broad range of targeted entities.

This alert documentation listed in the show notes provides observed tactics, techniques, and indicators of compromise that the authoring agencies assess are likely associated with this IRGC-affiliated APT. The authoring agencies urge organizations, especially critical infrastructure organizations, to apply the recommendations listed in the Mitigations section of the alert documentation to mitigate risk of compromise from these IRGC-affiliated cyber actors.

All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or

This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by the CyberWire as a public service. Please visit www dot cisa dot gov to read the full report which may include additional details, links, and illustrations. A link to this report can be found in the show notes.

This has been a CISA Cybersecurity Alert.