Hackers linked to the Iranian government have been targeting a "broad range of victims" inside the United States, including by deploying ransomware, according to an advisory issued by US, UK and Australian officials.
The advisory said that in recent months, Iran's government has exploited computer vulnerabilities exposed by hackers before they can be fixed and targeted entities in the transportation, health care and public health sectors.
The attackers leveraged the initial hack for additional operations, such as data exfiltration, ransomware and extortion, according to the advisory.
The group has used the same Microsoft Exchange vulnerability in Australia, officials say.
The warning is notable because even though ransomware attacks remain prevalent in the US, most of the significant ones in the past year have been attributed to Russia-based criminal hacker gangs rather than Iranian hackers.
Government officials are not the only ones citing the Iranian-linked activity: tech giant Microsoft announced on Tuesday that it had seen six different groups in Iran deploying ransomware since last year.
Microsoft said one of the groups spends significant time and energy trying to build rapport with their intended victims before targeting them with spear-phishing campaigns.
The group uses fake conference invitations or interview requests and frequently masquerade as officials at think tanks in Washington DC as a cover, Microsoft said.
Once rapport is built and a malicious link is sent, the hackers are extra pushy at trying to get their victims to click on it, said James Elliott, a member of the Microsoft Threat Intelligence Center.
"These guys are the biggest pain in the rear. Every two hours they're sending an email," Elliott said at the Cyberwarcon cybersecurity conference on Tuesday.
Researchers at the Crowdstrike cybersecurity firm said they and competitors began seeing this type of activity last year.
The Iranian ransomware attacks, unlike those sponsored by North Korea's government, are not designed to generate revenue so much as for espionage, to sow disinformation, to harass and embarrass foes - Israel, chief among them - and to essentially wear down their targets, Crowdstrike researchers said at the Cyberwarcon event.
"While these operations will use ransom notes and dedicated leak sites demanding hard cryptocurrency, we're really not seeing any viable effort at actual currency generation," Crowdstrike global threat analysis director Kate Blankenship said.
Crowdstrike considers Iran to be the trendsetter in this novel "low form" of cyberattack, which typically involves paralysing a network with ransomware, stealing information and then leaking it online.
The researchers call the method "lock and leak".
It is less visible, less costly and "provides more room for deniability," Blankenship said.