{
	"id": "69759349-e181-4cb4-84ea-b2604aa88ceb",
	"created_at": "2026-04-06T00:17:30.66201Z",
	"updated_at": "2026-04-10T03:31:41.49273Z",
	"deleted_at": null,
	"sha1_hash": "63f3229483f0ba26ce5b1b5d153e20a367f58daf",
	"title": "Iranian hackers behind Cox Media Group ransomware attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 85799,
	"plain_text": "Iranian hackers behind Cox Media Group ransomware attack\r\nBy Catalin Cimpanu\r\nPublished: 2023-01-09 · Archived: 2026-04-05 21:29:25 UTC\r\nThe ransomware attack that crippled the IT systems and live streams of Cox radio and TV stations earlier this year\r\nwas the work of Iranian hackers, The Record has learned.\r\nThe attack has been attributed to a threat actor tracked under the codename of DEV-0270, a group linked to\r\nseveral intrusions against US companies this year that have ended in the deployment of ransomware.\r\nWhile the intrusion at the Cox Media Group came to light on June 3, when the attackers deployed their\r\nransomware and encrypted some internal servers, the group had actually breached and been lurking inside the\r\ncompany's internal network for weeks since mid-May.\r\nThe attack did not impact all Cox Media Group radio and TV stations but managed to cripple the ability of some\r\nstations to broadcast live streams on their sites.\r\nThe Cox Media Group initially tried to play down the attack. Local reporters who shared details about the\r\nransomware incident on Twitter were admonished and told to delete tweets.\r\nThe company did, however, formally confirm the attack in October, four months later, but without mentioning any\r\ndetails about the Iranian hackers.\r\nThe revelation that Iranian hackers were behind the Cox attack comes a month after the US Department of\r\nJustice charged two Iranian nationals in November on several hacking-related charges. One of them was for the\r\nhacking of a US media company, with the intention of disseminating false news via its website regarding the\r\nlegality of the US 2020 Presidential election. The company was later identified as Lee Enterprises, the operator of\r\nnews sites like Buffalo News, the Arizona Daily Star, and the Omaha World-Herald.\r\nAccording to a Microsoft threat intelligence report on the group, DEV-0270 has historically engaged in both\r\nintelligence collection operations and financially-motivated attacks alike, which muddies the real motivation\r\nbehind the recent Cox ransomware attack.\r\nThe tactic of deploying ransomware on the networks of large companies is a tactic that was first seen used by\r\nIranian hackers, namely by the SamSam group, in late 2016.\r\nTheir method of targeting large companies rather than end consumers was eventually adopted by most of the\r\nransomware threat actor landscape and is today known as \"big-game hunting.\"\r\nSince then, most ransomware attacks have been linked to Russian-based groups; however, in recent years, some\r\nransomware incidents have also been linked to members of state-sponsored espionage groups based in Iran, China,\r\nand North Korea.\r\nhttps://therecord.media/iranian-hackers-behind-cox-media-group-ransomware-attack/\r\nPage 1 of 3\n\nThese groups deployed ransomware on the networks of some of their victims as a way to monetize hacked\r\ncompanies that have no intelligence-collection value or as a way to hide intelligence collection under a more\r\ngeneric ransomware incident that wouldn't trigger a more in-depth investigation.\r\nCox Media Group spokespersons did not return requests for comment about the May-June intrusion.\r\nGet more insights with the\r\nRecorded Future\r\nIntelligence Cloud.\r\nLearn more.\r\nNo previous article\r\nNo new articles\r\nCatalin Cimpanu\r\nhttps://therecord.media/iranian-hackers-behind-cox-media-group-ransomware-attack/\r\nPage 2 of 3\n\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nactions against hackers.\r\nSource: https://therecord.media/iranian-hackers-behind-cox-media-group-ransomware-attack/\r\nhttps://therecord.media/iranian-hackers-behind-cox-media-group-ransomware-attack/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://therecord.media/iranian-hackers-behind-cox-media-group-ransomware-attack/"
	],
	"report_names": [
		"iranian-hackers-behind-cox-media-group-ransomware-attack"
	],
	"threat_actors": [
		{
			"id": "6b4a82e8-21f1-4bc7-84cf-e27334998b48",
			"created_at": "2022-10-25T16:07:23.84296Z",
			"updated_at": "2026-04-10T02:00:04.762229Z",
			"deleted_at": null,
			"main_name": "DEV-0270",
			"aliases": [
				"DEV-0270",
				"DireFate",
				"Lord Nemesis",
				"Nemesis Kitten",
				"Yellow Dev 23",
				"Yellow Dev 24"
			],
			"source_name": "ETDA:DEV-0270",
			"tools": [
				"Impacket",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"WmiExec"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "eaef3218-1f8c-4767-b1ff-da7a6662acc0",
			"created_at": "2023-03-04T02:01:54.110909Z",
			"updated_at": "2026-04-10T02:00:03.359871Z",
			"deleted_at": null,
			"main_name": "DEV-0270",
			"aliases": [
				"Nemesis Kitten",
				"Storm-0270"
			],
			"source_name": "MISPGALAXY:DEV-0270",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7",
			"created_at": "2025-08-07T02:03:24.764883Z",
			"updated_at": "2026-04-10T02:00:03.611225Z",
			"deleted_at": null,
			"main_name": "COBALT MIRAGE",
			"aliases": [
				"DEV-0270 ",
				"Nemesis Kitten ",
				"PHOSPHORUS ",
				"TunnelVision ",
				"UNC2448 "
			],
			"source_name": "Secureworks:COBALT MIRAGE",
			"tools": [
				"BitLocker",
				"Custom powershell scripts",
				"DiskCryptor",
				"Drokbk",
				"FRPC",
				"Fast Reverse Proxy (FRP)",
				"Impacket wmiexec",
				"Ngrok",
				"Plink",
				"PowerLessCLR",
				"TunnelFish"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434650,
	"ts_updated_at": 1775791901,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/63f3229483f0ba26ce5b1b5d153e20a367f58daf.pdf",
		"text": "https://archive.orkl.eu/63f3229483f0ba26ce5b1b5d153e20a367f58daf.txt",
		"img": "https://archive.orkl.eu/63f3229483f0ba26ce5b1b5d153e20a367f58daf.jpg"
	}
}