An emerging threat actor likely supporting Iranian national
interests has been behind a password spraying campaign targeting
U.S., E.U., and Israeli defense technology companies, with
additional activity observed against regional ports of entry in the
Persian Gulf as well as maritime and cargo transportation companies
focused in the Middle East.
Microsoft is tracking the hacking crew under the moniker
DEV-0343.
The intrusions, which were first observed in late July 2021, are
believed to have targeted more than 250 Office 365 tenants, fewer
than 20 of which were successfully compromised following a password spray[1]
attack — a type of brute force attack wherein the same password is
cycled against different usernames to log into an application or a
network in an effort to avoid account lockouts.
Indications thus far allude to the possibility that the activity
is part of an intellectual property theft campaign aimed at
government partners producing military-grade radars, drone
technology, satellite systems, and emergency response communication
systems with the likely goal of stealing commercial satellite
images and proprietary information.
DEV-0343’s Iranian connection is based on evidence of “extensive
crossover in geographic and sectoral targeting with Iranian actors,
and alignment of techniques and targets with another actor
originating in Iran,” researchers from Microsoft Threat
Intelligence Center (MSTIC) and Digital Security Unit (DSU)
said[2].
The password sprays emulate Firefox and Google Chrome browsers
and rely on a series of unique Tor proxy I.P. addresses expressly
used to obfuscate their operational infrastructure. Noting that the
attacks peak between Sunday and Thursday from 7:30 AM to 8:30 PM
Iran Time (4:00 AM to 5:00 PM UTC), Microsoft said dozens to
hundreds of accounts within an entity are targeted depending on the
size.
The Redmond-based tech giant also pointed out the password
spraying tool’s similarities to that of “o365spray[3],” an actively updated
open-source utility aimed at Microsoft Office 365, and is now
urging customers to enable multi-factor authentication to mitigate
compromised credentials and prohibit all incoming traffic from
anonymizing services wherever applicable.
“Gaining access to commercial satellite imagery and proprietary
shipping plans and logs could help Iran compensate for its
developing satellite program,” the researchers said. “Given Iran’s
past cyber and military attacks against shipping and maritime
targets, Microsoft believes this activity increases the risk to
companies in these sectors.”