The Secureworks Counter Threat Unit (CTU) researchers are investigating attacks by the Iranian COBALT MIRAGE threat group, which has been operating since at least June 2020. Linked to the Iranian COBALT ILLUSION threat group, COBALT MIRAGE uses persistent phishing campaigns to gain access. 

Based on Secureworks incident response engagements, CTU researchers identified two distinct clusters of COBALT MIRAGE intrusions one cluster uses BitLocker and DiskCryptor to conduct ransomware attacks for financial gain; the other cluster instead focuses on targeted intrusions to gain access and collect intelligence, as well as to experiment with ransomware. 

COBALT MIRAGE has demonstrated a preference for attacking organizations in Israel, the U.S., Europe, and Australia. 

The threat group has leveraged a broad scan-and-exploit campaign targeting Microsoft Exchange servers, as well as exploited the ProxyShell vulnerabilities, for example, to gain access to a U.S. local government network in March 2022 and a U.S. philanthropic organization in January 2022. 

While the threat actors appear to have had a reasonable level of success gaining initial access to a wide range of targets, their ability to capitalize on that access for financial gain or intelligence collection appears limited. 

The threat group’s ability to use publicly available encryption tools for ransomware operations and mass scan-and-exploit activity to compromise organizations creates an ongoing threat. “Conducting espionage can lead to significant financial gain depending on the group’s motives and geopolitical leaning/backing. The focus on both indicates that the group may be state-backed with a focus on gaining long-term cash out with short-term gain via espionage,” says Andy Gill, Senior Security Consultant at LARES Consulting.

Organizations must prioritize patching high-severity and highly publicized vulnerabilities on internet-facing systems, implement multi-factor authentication, and monitor the tools and file-sharing services used by COBALT MIRAGE, CTU researchers suggest.