More than 250 Microsoft Office 365 accounts associated with the US, EU, and the Israeli government were compromised due to widespread password spraying. Additionally, Persian Gulf entry points and global marine transportation businesses with a presence in the Middle East were targeted.
Defence firms that
serve US, EU, and Israeli government partners in producing military-grade
radars, drone technology, satellite systems, and emergency response
communication systems were among those compromised.
MSTIC began observing
and tracking activity in late July 2021. MSTIC detected the hacker organisation
DEV-0343 performing significant password spraying against more than 250 Office
365 tenants, focusing on US and Israeli defence technology firms, Persian Gulf
ports of entry, or global marine transportation corporations with a Middle
Eastern presence. Although around 20 of the targeted tenants were successfully
penetrated, DEV-0343 is constantly evolving its tactics to improve its attacks.
According to MSTIC, Office 365 accounts with multifactor authentication (MFA)
configured are resistant to password spraying.
DEV-#### designations
are used by Microsoft as a temporary moniker for an unknown, emerging, or
growing cluster of threat activity, allowing MSTIC to track it as a unique
collection of information until they can establish high confidence regarding
the origin or identity of the actor behind the operation. A DEV gets
transformed into a named actor if it fulfils the requirements. Microsoft has
personally contacted customers who have been targeted or compromised, as with
any observed nation-state actor activity. It has provided them with the information
they need to protect their accounts.
Targeting has been seen in this DEV-0343 activity among defence businesses that support US, EU, and Israeli government partners in producing military-grade radars, drone technologies, satellite systems, and emergency response communication systems. Customers in geographic information systems (GIS), spatial analytics, regional ports of entry in the Persian Gulf, and various marine and freight transportation firms with a Middle Eastern focus have also been targeted.
According to
Microsoft, "based on pattern-of-life analysis, extensive crossover in
geographic and sectoral targeting with Iranian actors, and alignment of
techniques and targets with another actor originating in Iran," this
activity "likely supports the national interests of the Islamic Republic
of Iran." Microsoft believes this targeting will help the Iranian
government follow enemy security services and marine transportation in the
Middle East to improve their contingency plans. Having access to commercial
satellite photos and private shipping plans and logs might assist Iran in
compensating for its growing satellite programme. Given Iran's previous cyber
and military strikes on shipping and marine targets, Microsoft feels this
action raises the danger for firms in these industries.