ArchiveOODA Original

Log4Shell Exploit Used in Cox Media Group Ransomware Attack Attributed to Iranian Hackers

In June of last year, Cox Media Group (CMG) IT systems and live streams were the targets of a ransomware attack. The Microsoft Threat Intelligence Center (MSTIC) has attributed the attack to an Iranian threat actor, codenamed DEV-0270, a group linked to multiple intrusions of US companies.  It has been determined that the attackers achieved access to and had been active on the CMG systems since May of 2021.

The attack is part of larger trends in Iranian hacker activity globally identified by the MSTIC.  According to Microsoft, At CyberWarCon 2021, “MSTIC analysts presented their analysis of these trends in Iranian nation-state actor activity during a session titled ‘The Iranian evolution: Observed changes in Iranian malicious network operations’.”

Advanced persistent threat (APT) actors like DEV-0270 usually engage in intelligence collection operations and financially-motivated attacks, according to a Microsoft threat intelligence report on the group.  It may be part of a larger trend, also discussed by the MSTIC researchers, which is the use of a seemingly “benign” ransomware attack to hide intelligence collection.  A ransomware attack would trigger the type of IT and cybersecurity investigation less concerned with finding intelligence collection activities and patterns in a system.   Another scenario is that CMS was a company with no intelligence collection value for the hackers, but allowed for an opportunity to monetize the activity through a ransomware attack.  The intent of the Iranian APT attack on the American media company remains unclear.

This attribution is also one of many Log4Shell vulnerability headlines of the last three weeks, as DEV-0270 (also known as Phosphorus) exploited Log4Shell in Log4j for initial access to the CMG systems.   Additional recent fallout from Log4Shell vulnerability (since we last reported on the Five Eyes Issued Joint Log4Shell Advisory over the holiday) include:

APT ‘Aquatic Panda’ Targets Universities with Log4Shell Exploit Tools

SAP Kicks Log4Shell Vulnerability Out of 20 Apps

Multiple Log4j scanners released by CISA, CrowdStrike

Alibaba Suffers Government Crackdown Over Log4j

Google: More than 35,000 Java packages impacted by Log4j vulnerabilities

Log4Shell attacks expand to nation-state groups from China, Iran, North Korea, and Turkey


Related Reading:

Black Swans and Gray Rhinos

Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis

Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking

The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking

Corporate Sensemaking: Establishing an Intelligent Enterprise

OODA’s leadership and analysts have decades of direct experience helping organizations improve their ability to make sense of their current environment and assess the best courses of action for success going forward. This includes helping establish competitive intelligence and corporate intelligence capabilities. Our special series on the Intelligent Enterprise highlights research and reports that can accelerate any organization along their journey to optimized intelligence. See: Corporate Sensemaking

Artificial Intelligence Sensemaking: Take advantage of this mega trend for competitive advantage

This page serves as a dynamic resource for OODA Network members looking for Artificial Intelligence information to drive their decision-making process. This includes a special guide for executives seeking to make the most of AI in their enterprise. See: Artificial Intelligence Sensemaking

COVID-19 Sensemaking: What is next for business and governments

From the very beginning of the pandemic we have focused on research on what may come next and what to do about it today. This section of the site captures the best of our reporting plus daily daily intelligence as well as pointers to reputable information from other sites. See: OODA COVID-19 Sensemaking Page.

Space Sensemaking: What does your business need to know now

A dynamic resource for OODA Network members looking for insights into the current and future developments in Space, including a special executive’s guide to space. See: Space Sensemaking

Quantum Computing Sensemaking

OODA is one of the few independent research sources with experience in due diligence on quantum computing and quantum security companies and capabilities. Our practitioner’s lens on insights ensures our research is grounded in reality. See: Quantum Computing Sensemaking.

The OODAcast Video and Podcast Series

In 2020, we launched the OODAcast video and podcast series designed to provide you with insightful analysis and intelligence to inform your decision making process. We do this through a series of expert interviews and topical videos highlighting global technologies such as cybersecurity, AI, quantum computing along with discussions on global risk and opportunity issues. See: The OODAcast

Daniel Pereira

Daniel Pereira

Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.