Iranian hackers ramp up attacks against IT services sector

The flag of Iran depicted in programming code
(Image credit: Shutterstock)

Iranian hackers are targeting companies in the IT services sector in a bid to steal credentials belonging to downstream customer networks to enable further attacks.

Security researchers at the Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Digital Security Unit (DSU) said this new campaign is part of a broader spying objective to compromise organizations of interest to the Iranian regime.

Researchers said they had already sent more than 1,600 notifications to over 40 IT companies in response to Iranian targeting, compared to 48 notifications in 2020.

To date, most attacks have been focused on Indian IT services firms, which are used a lot by companies in the US. Some targets were also based in Israel and the United Arab Emirates.

Two hacking groups, tracked by Microsoft as DEV-0228 and DEV-0056. The former compromised a single Israel-based IT company that provides business management software in July 2021.

“Based on MSTIC’s assessment, DEV-0228 used access to that IT company to extend their attacks and compromise downstream customers in the defense, energy, and legal sectors in Israel,” said researchers.

This group dumped credentials from the on-premises network of an IT provider based in Israel in early July.

“Over the next two months, the group compromised at least a dozen other organizations, several of which have strong public relations with the compromised IT company,” they said.


2021 state of email security report: Ransomware on the rise

Securing the enterprise in the COVID world


In September, researchers observed a separate Iranian group, DEV-0056, compromising email accounts at a Bahrain-based IT integration company that works on IT integration with Bahrain Government clients, who were likely DEV-0056's ultimate target.

“DEV-0056 also compromised various accounts at a partially government-owned organization in the Middle East that provide information and communications technology to the defense and transportation sectors, which are targets of interest to the Iranian regime. DEV-0056 maintained persistence at the IT integration organization through at least October,” added researchers.

This follows a warning from the US Cybersecurity and Infrastructure Security Agency (CISA) that Iranian government-sponsored APT actors are “actively targeting a broad range of victims across multiple US critical infrastructure sectors, including the transportation sector and the Healthcare and public health sector, as well as Australian organizations.”

"FBI, CISA, ACSC, and NCSC assess the actors are focused on exploiting known vulnerabilities rather than targeting specific sectors. These Iranian government-sponsored APT actors can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware, and extortion,” it added.

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.