{"id":44013,"date":"2021-11-18T16:00:37","date_gmt":"2021-11-18T16:00:37","guid":{"rendered":"https:\/\/www.microsoft.com\/security\/blog\/?p=101943"},"modified":"2021-11-18T16:00:37","modified_gmt":"2021-11-18T16:00:37","slug":"iranian-targeting-of-it-sector-on-the-rise","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/iranian-targeting-of-it-sector-on-the-rise\/","title":{"rendered":"Iranian targeting of IT sector on the rise"},"content":{"rendered":"

Iranian threat actors are increasing attacks against IT services companies as a way to access their customers\u2019 networks. This activity is notable because targeting third parties has the potential to exploit more sensitive organizations by taking advantage of trust and access in a supply chain. Microsoft has observed multiple Iranian threat actors targeting the IT services sector in attacks that aim to steal sign-in credentials belonging to downstream customer networks to enable further attacks. The Microsoft Threat Intelligence Center (MSTIC) and Digital Security Unit (DSU) assess this is part of a broader espionage objective to compromise organizations of interest to the Iranian regime.<\/p>\n

Until July 2021, Microsoft had observed relatively little history of Iranian actors attacking Indian targets. As India and other nations rise as major IT services hubs, more nation state actors follow the supply chain to target these providers\u2019 public and private sector customers around the world matching nation state interests.<\/p>\n

To date this year, Microsoft has issued more than 1,600 notifications to over 40 IT companies in response to Iranian targeting, compared to 48 notifications in 2020, making this a significant increase from years past (Figure 1). The focus of several Iranian threat groups on the IT sector particularly spiked in the last six months \u2013 roughly 10-13% of our notifications were related to Iranian threat activity in the last six months, compared to two and a half percent in the six months prior (Figure 2). Most of the targeting is focused on IT services companies based in India, as well as several companies based in Israel and United Arab Emirates. Although different in technique from other recent supply chain attacks, these attacks represent another example of how nation state actors are increasingly targeting supply chains as indirect vectors to achieve their objectives.<\/p>\n

\"Column<\/p>\n

Figure 1: Number of notifications sent to IT Services related to Iran-based actor targeting<\/em><\/p>\n

\"Column<\/p>\n

Figure 2: Percentage of notifications per quarter sent to IT Services NSNs related to Iran-based activity<\/em><\/p>\n

As with any observed nation state actor activity, Microsoft has directly notified customers that have been targeted or compromised, providing them with the information they need to secure their accounts. Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity. Once it meets the criteria, a DEV is converted to a named actor.<\/p>\n

Observed activity<\/h2>\n

In July 2021, a group that MSTIC tracks as DEV-0228 and assesses as based in Iran compromised a single Israel-based IT company that provides business management software. Based on MSTIC\u2019s assessment, DEV-0228 used access to that IT company to extend their attacks and compromise downstream customers in the defense, energy, and legal sectors in Israel. In September, we detected a separate Iranian group, DEV-0056, compromising email accounts at a Bahrain-based IT integration company that works on IT integration with Bahrain Government clients, who were likely DEV-0056\u2019s ultimate target. DEV-0056 also compromised various accounts at a partially government-owned organization in the Middle East that provide information and communications technology to the defense and transportation sectors, which are targets of interest to the Iranian regime. DEV-0056 maintained persistence at the IT integration organization through at least October.<\/p>\n

MSTIC detected a significant increase in these and other Iranian groups targeting IT companies based in India beginning in mid-August. From mid-August to late September, we issued 1,788 nation state notifications (NSNs) across Iranian actors to enterprise customers in India, roughly 80% of which were to IT companies, an exponential rise from the 10 notifications we issued the previous three years in response to previous Iranian targeting. Iranian cyber actors have rarely targeted India, and the lack of pressing geopolitical issues that would have prompted such a shift suggests that this targeting is for indirect access to subsidiaries and clients outside India.<\/p>\n

Credential theft leads to downstream compromise<\/h3>\n

DEV-0228 dumped credentials from the on-premises network of an IT provider based in Israel in early July. Over the next two months, the group compromised at least a dozen other organizations, several of which have strong public relations with the compromised IT company. MSTIC assesses at least four (4) of those victims were compromised using the acquired credentials and access from the IT company in the July and August attacks. Here are two such examples:<\/p>\n