Microsoft has warned that hackers linked to Iran are mainly targeting Office 365 clients in defense technology firms.
Researchers at Microsoft Threat Intelligence Center (MSTIC) and Microsoft Digital Security Unit (DSU) have revealed details of a new threat actor having links with Iran. This actor has launched a password spraying scheme, and the targets are Israeli, US, and EU defense technology firms.
Further, the tech giant has observed activities against Middle Eastern maritime and cargo transportation companies and regional ports of entry on the Persian Gulf by the same actor. Reportedly, this gang performs its operations using the moniker DEV-0343. The hackers are mainly targeting Office 365 clients.
What is Password Spraying Attack?
In this kind of attack, threat actors try to brute-force accounts cycling the same passwords on multiple accounts at once. This helps them hide failed attempts using different IP addresses and evade automated defenses such as IP blocking or password lockout designed to block multiple failed login attempts.
About the Campaign
According to Microsoft’s blog post, the first intrusion was observed in July 2021. More than 250 MS Office 365 customers with multifactor authentication (MFA) toggled were targeted, and at least 20 were successfully compromised after a password spraying attack.
This malicious scheme is believed to have been launched to support Iranian national interests. The techniques and targets of this threat actor are in sharp alignment with another threat actor linked with Iran.
DEV-0343 currently targets the Autodiscover and ActiveSync Exchange endpoints with their password spray tool to refine their attacks.
“Targeting in this DEV-0343 activity has been observed across defense companies that support United States, European Union, and Israeli government partners producing military-grade radars, drone technology, satellite systems, and emergency response communication systems,” Microsoft’s blog post read.
The attack relies on emulating Firefox and Chrome browsers and on a series of unique Tor proxy IP addresses to obfuscate the attackers’ operational infrastructure. The attacks peaked between Sun and Thurs around 4:00 AM to 5:00 PM UTC.
Iranian Link Suspected
The threat actors’ ultimate goal seems to gain access to commercial satellite imagery and proprietary shipping plans and logs, which can help spearhead Iran’s under-development satellite program.
“They typically target dozens to hundreds of accounts within an organization, depending on the size, and enumerate each account from dozens to thousands of times. On average, between 150 and 1,000+ unique Tor proxy IP addresses are used in attacks against each organization,” researchers stated.
Affected and Microsoft has duly notified targeted customers with information about securing their accounts.