Iranian hackers ramp up attacks against IT services sector

Microsoft security researchers warn hacking is part of broader cyber espionage effort

Iranian hackers are targeting companies in the IT services sector in a bid to steal credentials belonging to downstream customer networks to enable further attacks.

Security researchers at the Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Digital Security Unit (DSU) said this new campaign is part of a broader spying objective to compromise organizations of interest to the Iranian regime.

Researchers said they had already sent  more than 1,600 notifications to over 40 IT companies in response to Iranian targeting, compared to 48 notifications in 2020.

To date, most attacks have been focused on Indian IT services firms, which are used a lot by companies in the US. Some targets were also based in Israel and the United Arab Emirates.

Two hacking groups, tracked by Microsoft as DEV-0228 and DEV-0056. The former compromised a single Israel-based IT company that provides business management software in July 2021.

“Based on MSTIC’s assessment, DEV-0228 used access to that IT company to extend their attacks and compromise downstream customers in the defense, energy, and legal sectors in Israel,” said researchers.

This group dumped credentials from the on-premises network of an IT provider based in Israel in early July.

“Over the next two months, the group compromised at least a dozen other organizations, several of which have strong public relations with the compromised IT company,” they said.

Related Resource

2021 state of email security report: Ransomware on the rise

Securing the enterprise in the COVID world

2021 state of email security report: Ransomware on the rise - whitepaper from MimecastFree download

In September, researchers observed a separate Iranian group, DEV-0056, compromising email accounts at a Bahrain-based IT integration company that works on IT integration with Bahrain Government clients, who were likely DEV-0056's ultimate target.

“DEV-0056 also compromised various accounts at a partially government-owned organization in the Middle East that provide information and communications technology to the defense and transportation sectors, which are targets of interest to the Iranian regime. DEV-0056 maintained persistence at the IT integration organization through at least October,” added researchers.

This follows a warning from the US Cybersecurity and Infrastructure Security Agency  (CISA) that Iranian government-sponsored APT actors are “actively targeting a broad range of victims across multiple US critical infrastructure sectors, including the transportation sector and the Healthcare and public health sector, as well as Australian organizations.”

"FBI, CISA, ACSC, and NCSC assess the actors are focused on exploiting known vulnerabilities rather than targeting specific sectors. These Iranian government-sponsored APT actors can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware, and extortion,” it added.

Featured Resources

How virtual desktop infrastructure enables digital transformation

Challenges and benefits of VDI

Free download

The Okta digital trust index

Exploring the human edge of trust

Free download

Optimising workload placement in your hybrid cloud

Deliver increased IT agility with the cloud

Free Download

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Download now

Recommended

Russia's "politically motivated" REvil raid could be used as leverage, experts warn
ransomware

Russia's "politically motivated" REvil raid could be used as leverage, experts warn

17 Jan 2022
Meta files lawsuit to uncover hackers targeting Facebook, WhatsApp
phishing

Meta files lawsuit to uncover hackers targeting Facebook, WhatsApp

21 Dec 2021
Five things to consider before choosing an MFA solution
Security

Five things to consider before choosing an MFA solution

17 Dec 2021
Australia and US sign CLOUD Act data-sharing deal to support criminal investigations
cyber crime

Australia and US sign CLOUD Act data-sharing deal to support criminal investigations

16 Dec 2021

Most Popular

Sony pulls out of MWC 2022
Business operations

Sony pulls out of MWC 2022

14 Jan 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022
Dell XPS 15 (2021) review: The best just got better
Laptops

Dell XPS 15 (2021) review: The best just got better

14 Jan 2022