IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Iranian hackers ramp up attacks against IT services sector

Microsoft security researchers warn hacking is part of broader cyber espionage effort

Iranian hackers are targeting companies in the IT services sector in a bid to steal credentials belonging to downstream customer networks to enable further attacks.

Security researchers at the Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Digital Security Unit (DSU) said this new campaign is part of a broader spying objective to compromise organizations of interest to the Iranian regime.

Researchers said they had already sent  more than 1,600 notifications to over 40 IT companies in response to Iranian targeting, compared to 48 notifications in 2020.

To date, most attacks have been focused on Indian IT services firms, which are used a lot by companies in the US. Some targets were also based in Israel and the United Arab Emirates.

Two hacking groups, tracked by Microsoft as DEV-0228 and DEV-0056. The former compromised a single Israel-based IT company that provides business management software in July 2021.

“Based on MSTIC’s assessment, DEV-0228 used access to that IT company to extend their attacks and compromise downstream customers in the defense, energy, and legal sectors in Israel,” said researchers.

This group dumped credentials from the on-premises network of an IT provider based in Israel in early July.

“Over the next two months, the group compromised at least a dozen other organizations, several of which have strong public relations with the compromised IT company,” they said.

Related Resource

2021 state of email security report: Ransomware on the rise

Securing the enterprise in the COVID world

2021 state of email security report: Ransomware on the rise - whitepaper from MimecastFree download

In September, researchers observed a separate Iranian group, DEV-0056, compromising email accounts at a Bahrain-based IT integration company that works on IT integration with Bahrain Government clients, who were likely DEV-0056's ultimate target.

“DEV-0056 also compromised various accounts at a partially government-owned organization in the Middle East that provide information and communications technology to the defense and transportation sectors, which are targets of interest to the Iranian regime. DEV-0056 maintained persistence at the IT integration organization through at least October,” added researchers.

This follows a warning from the US Cybersecurity and Infrastructure Security Agency  (CISA) that Iranian government-sponsored APT actors are “actively targeting a broad range of victims across multiple US critical infrastructure sectors, including the transportation sector and the Healthcare and public health sector, as well as Australian organizations.”

"FBI, CISA, ACSC, and NCSC assess the actors are focused on exploiting known vulnerabilities rather than targeting specific sectors. These Iranian government-sponsored APT actors can leverage this access for follow-on operations, such as data exfiltration or encryption, ransomware, and extortion,” it added.

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Recommended

Twilio account breach result of sophisticated social engineering campaign
Security

Twilio account breach result of sophisticated social engineering campaign

9 Aug 2022
Over 200,000 DrayTek routers vulnerable to total device takeover
Security

Over 200,000 DrayTek routers vulnerable to total device takeover

3 Aug 2022
Data on 69 million Neopets users stolen and listed for sale on hacker forum
Security

Data on 69 million Neopets users stolen and listed for sale on hacker forum

21 Jul 2022
What is zero trust?
network security

What is zero trust?

14 Jul 2022

Most Popular

Why convenience is the biggest threat to your security
Sponsored

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022