In large-scale password spraying assaults, Iran-linked threat actors are targeting Office 365 tenants of US and Israeli military technology businesses.
In Password spray attacks, hackers try to brute-force accounts by utilizing the same passwords across numerous accounts at the same time, allowing threat actors to disguise unsuccessful efforts by using various IP addresses.
This allows them to bypass automatic protections such as password lockout and malicious IP blocking, which are both meant to prevent numerous failed login attempts.
Researchers at Microsoft Threat Intelligence Center (MSTIC) and Microsoft Digital Security Unit (DSU) have been tracking the activity cluster since late July and have given it the temporary name DEV-0343.
Microsoft wrote in a blog post on Monday that, “Gaining access to commercial satellite imagery and proprietary shipping plans and logs could help Iran compensate for its developing satellite program.”
Microsoft has not directly pointed the finger towards Iran but this continuous harmful behavior is aligned with Iranian national objectives due to tactics and targets that are similar to those used by another Iran-linked threat actor.
“Targeting in this DEV-0343 activity has been observed across defense companies that support United States, European Union, and Israeli government partners producing military-grade radars, drone technology, satellite systems, and emergency response communication systems,” Microsoft says.
“Further activity has targeted customers in geographic information systems (GIS), spatial analytics, regional ports of entry in the Persian Gulf, and several maritime and cargo transportation companies with a business focus in the Middle East.”
The ultimate objective of the DEV-0343 operators is to acquire access to commercial satellite images as well as private shipping plans and logs, which would be utilized to supplement Iran’s in-development satellite programme.
Customers who have been targeted or hacked have been contacted directly by Microsoft, who have been given the information they need to protect their accounts.
The objective of disclosing information about the attacks now is to assist companies in preparing for future breaches, according to Lambert. He went on to say that the hackers could try to enter into targeted businesses’ internal networks using stolen login credentials. According to Microsoft, over 250 companies, including unidentified US and Israeli defense corporations and groups operating in Persian Gulf ports were attempted by the hackers, the hackers were able to access “less than 20” of the companies.
Iran’s intelligence services have always been interested in the maritime industry, and the country sits on the Strait of Hormuz, which transports about a fifth of the world’s oil exports. Washington state based-technology provider said, “Given Iran’s past cyber and military attacks against shipping and maritime targets, Microsoft believes this activity increases the risk to companies in these sectors.” While this activity appears to be focused on Persian Gulf ports, threats have forced US maritime authorities to strengthen their network defenses.
The Port of Houston’s computer network was infiltrated by unidentified hackers in August, according to US officials. According to a Coast Guard investigation of the event acquired by CNN, early identification of the incident meant the attackers were unable to impede maritime operations.
“The shipping lanes are the highways of the sea,” Lambert said. “And anything related to that is going to be in the crosshairs and subject to geopolitical dynamics.”