Iranian hackers ramp up attacks against IT services sector

Microsoft security researchers warn hacking is part of broader cyber espionage effort

Iranian hackers are targeting companies in the IT services sector in a bid to steal credentials belonging to downstream customer networks to enable further attacks.

Security researchers at the Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Digital Security Unit (DSU) said this new campaign is part of a broader spying objective to compromise organizations of interest to the Iranian regime.

Researchers said they had already sent  more than 1,600 notifications to over 40 IT companies in response to Iranian targeting, compared to 48 notifications in 2020.

To date, most attacks have been focused on Indian IT services firms, which are used a lot by companies in the US. Some targets were also based in Israel and the United Arab Emirates.

Two hacking groups, tracked by Microsoft as DEV-0228 and DEV-0056. The former compromised a single Israel-based IT company that provides business management software in July 2021.

“Based on MSTIC’s assessment, DEV-0228 used access to that IT company to extend their attacks and compromise downstream customers in the defense, energy, and legal sectors in Israel,” said researchers.

This group dumped credentials from the on-premises network of an IT provider based in Israel in early July.

“Over the next two months, the group compromised at least a dozen other organizations, several of which have strong public relations with the compromised IT company,” they said.

Related Resource

2021 state of email security report: Ransomware on the rise

Securing the enterprise in the COVID world

2021 state of email security report: Ransomware on the rise - whitepaper from MimecastFree download

In September, researchers observed a separate Iranian group, DEV-0056, compromising email accounts at a Bahrain-based IT integration company that works on IT integration with Bahrain Government clients, who were likely DEV-0056's ultimate target.

“DEV-0056 also compromised various accounts at a partially government-owned organization in the Middle East that provide information and communications technology to the defense and transportation sectors, which are targets of interest to the Iranian regime. DEV-0056 maintained persistence at the IT integration organization through at least October,” added researchers.

This follows a warning from the US Cybersecurity and Infrastructure Security Agency  (CISA) that Iranian government-sponsored APT actors are “actively targeting a broad range of victims across multiple US critical infrastructure sectors, including the transportation sector and the Healthcare and public health sector, as well as Australian organizations.”

"FBI, CISA, ACSC, and NCSC assess the actors are focused on exploiting known vulnerabilities rather than targeting specific sectors. These Iranian government-sponsored APT actors can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware, and extortion,” it added.

Featured Resources

2021 Thales cloud security study

The challenges of cloud data protection and access management in a hybrid and multi cloud world

Free download

IDC agility assessment

The competitive advantage in adaptability

Free Download

Digital transformation insights from CIOs for CIOs

Transformation pilotes, co-pilots, and engineers

Free download

What ITDMs did next - and what they should be doing now

Enable continued collaboration and communication for hybrid workers

Recommended

BitMart suspends withdrawals following hack
cryptocurrencies

BitMart suspends withdrawals following hack

6 Dec 2021
Bridging the DevSecOps divide: Spotlight on key relationships
Whitepaper

Bridging the DevSecOps divide: Spotlight on key relationships

3 Dec 2021
Planned Parenthood cyber attack exposes data of 400,000 patients
cyber attacks

Planned Parenthood cyber attack exposes data of 400,000 patients

3 Dec 2021
Bridging the DevSecOps divide: Spotlight on zero trust
Whitepaper

Bridging the DevSecOps divide: Spotlight on zero trust

3 Dec 2021

Most Popular

What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

30 Nov 2021
What is single sign-on (SSO)?
single sign-on (SSO)

What is single sign-on (SSO)?

2 Dec 2021