Since July 2021, Microsoft Threat Intelligence Center (MSTIC) has been tracking a new activity cluster that is targeting U.S. and Israel-based defense companies, maritime businesses with a presence in the Middle East, and ports of entry in the Persian Gulf, the company said in a blog post. Analyses of this activity have led the company to believe that it is supported by the Iranian state.
MSTIC assigns DEV-#### names to emerging and unknown clusters of threat activity until a time it has high confidence about the origins or the actor behind them. This string of activities has been assigned a DEV-0343 designation and has been found to be active mostly between Sunday through Thursday, between 7:30 AM and 8:30 PM Iran Time (04:00:00 and 17:00:00 UTC), the company said in the blog post.
The targets are not just defense companies
DEV-0343 activity has targeted defense companies that produce military-grade radars, drone technology, satellite systems, and emergency response communication systems to support the U.S., EU, and Israel governments. It has also targeted maritime and cargo transportation companies with operations in the Middle East. Among its targets are also "customers in geographic information systems (GIS), spatial analytics, regional ports of entry in the Persian Gulf," the blog post said.
The hackers are using the password spray technique — where the same passwords are cycled across a range of usernames to log in to the networks without being locked out. This is enabled by Firefox or Chrome browser emulators which are obfuscated using an average of 150-1000 unique Tor IP addresses, the company said.
So far, Microsoft has detected such attacks on more than 250 Office 365 tenants focused on two endpoints, Autodiscover and ActiveSync on its Exchange services. However, less than 20 tenants were compromised and the company has contacted the customers to notify them and take necessary actions to secure their accounts.
Microsoft believes that the pattern of actions points towards this activity originating from Iran. Access gained from these attacks is likely to help Iran compensate for its developing satellite program, the blog post said.
Microsoft recommends that customers enable multifactor authentication to mitigate compromised credentials, use passwordless solutions like its Authenticator, review and enforce recommended access policies and block incoming traffic from anonymizing services, where possible.