The Cybersecurity and Infrastructure Security Agency (CISA) said Iranian hackers breached a federal agency that failed to patch the Log4Shell vulnerability and deployed a crypto miner. The Log4Shell vulnerability (CVE-2021-44228) is a critical remote code execution flaw on Apache’s Log4j logging library popular with Java developers.

The breach that occurred as early as February 2022 impacted an unnamed federal civilian executive branch organization (FCEB). However, the Washington Post identified the breached federal agency as the U.S. Merit Systems Protection Board, according to people familiar with the incident.

Iranian hackers installed XMRig crypto miner on federal systems

CISA discovered the intrusion in April while conducting a network-wide analysis using the intrusion detection system Einstein. The security agency discovered “bi-directional traffic between the network and a known malicious IP address associated with exploitation of the Log4Shell vulnerability.”

Subsequently, CISA conducted “an incident response engagement” from mid-June through mid-July 2022, and discovered “suspected advanced persistent threat activity.”

Once inside, Iranian hackers deployed the XMRig open-source XMRig crypto miner which is popular with hackers for earning virtual currency using the victim’s computing resources. CISA’s analysis identified several files associated with the XMRig crypto miner such as WinRing0x64.sys, the XMRig Miner driver, and  wuacltservice.exe which…