Iranian hackers have compromised nearly two dozen U.S., European Union (EU) and Israeli defense technology companies using password spraying to wiggle their way into Office 365 tenants, Microsoft said in a new blog post.
The vendor’s threat intelligence researchers have linked Iran cyber operatives to a new “activity cluster” tracked since July 2021 in part because the targets have a number of things in common:
- U.S., EU and Israeli government partners producing military-grade radars, drone technology, satellite systems, and emergency response communication systems.
- Additional targeted customers include those in geographic information systems, spatial analytics, regional ports of entry in the Persian Gulf and several maritime and cargo transportation companies with a business focus in the Middle East.
“This activity likely supports the national interests of the Islamic Republic of Iran based on pattern-of-life analysis, extensive crossover in geographic and sectoral targeting with Iranian actors, and alignment of techniques and targets with another actor originating in Iran,” Microsoft wrote. The “extensive” campaign was levied on some 250 Office 365 tenants, Microsoft said. Its security researchers pointed out that Office 365 accounts with multi factor authentication (MFA) enabled are resilient against password sprays.
For now, Microsoft is referring to the campaign as DEV-0343, following its standard nomenclature to designate an unknown, emerging, or a developing cluster of threat activity until it has “high confidence” to identify the actor orchestrating the operation. Customers that have been targeted or compromised have been notified and given the necessary information to secure their accounts.
More on why suspect Iran:
- The targeting supports Iranian government tracking of adversary security services and maritime shipping in the Middle East to enhance their contingency plans.
- Gaining access to commercial satellite imagery and proprietary shipping plans and logs could help Iran compensate for its developing satellite program.
- Given Iran’s past cyber and military attacks against shipping and maritime targets, the activity increases the risk to companies in these sectors.
“We encourage our customers in these industries and geographic regions to review the information shared in this blog to defend themselves from this threat,” Microsoft said.
Microsoft’s security researchers recommended five actions to mitigate the threat activity:
- Enable MFA to mitigate compromised credentials.
- Download and use Microsoft’s password-less solutions to secure accounts.
- Review and enforce recommended Exchange Online access policies.
- Block ActiveSync clients from bypassing Conditional Access policies.
- Block all incoming traffic from anonymizing services where possible.
In its newly-released Digital Defense Report, Microsoft identified four Iranian cyber crews whose primary targets include U.S. defense and military contractors, IT services, governments, Israeli logistics companies, telecoms, academics and journalists. Iran is the only nation-state actor “willing to regularly engage in destructive attacks, mostly against Israel,” the report said.
Last January, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) identified Iranian hackers as behind a series of emailed death threats aimed at U.S. election officials in mid-December 2020. Months earlier both agencies had sternly warned in two alerts that Iranian cyber infiltrators were poised to launch offensives aimed at the 2020 elections.