Iran Hacked The US and Israeli Defence Tech Companies Using Microsoft 365
More than 250 Microsoft Office 365 accounts associated with the US, EU, and the Israeli government were compromised due to widespread password spraying. Additionally, Persian Gulf entry points and global marine transportation businesses with a presence in the Middle East were targeted.
Defence firms that serve US, EU, and Israeli government partners in producing military-grade radars, drone technology, satellite systems, and emergency response communication systems were among those compromised.
MSTIC began observing and tracking activity in late July 2021. MSTIC detected the hacker organisation DEV-0343 performing significant password spraying against more than 250 Office 365 tenants, focusing on US and Israeli defence technology firms, Persian Gulf ports of entry, or global marine transportation corporations with a Middle Eastern presence. Although around 20 of the targeted tenants were successfully penetrated, DEV-0343 is constantly evolving its tactics to improve its attacks. According to MSTIC, Office 365 accounts with multifactor authentication (MFA) configured are resistant to password spraying.
DEV-#### designations are used by Microsoft as a temporary moniker for an unknown, emerging, or growing cluster of threat activity, allowing MSTIC to track it as a unique collection of information until they can establish high confidence regarding the origin or identity of the actor behind the operation. A DEV gets transformed into a named actor if it fulfils the requirements. Microsoft has personally contacted customers who have been targeted or compromised, as with any observed nation-state actor activity. It has provided them with the information they need to protect their accounts.
Targeting has been seen in this DEV-0343 activity among defence businesses that support US, EU, and Israeli government partners in producing military-grade radars, drone technologies, satellite systems, and emergency response communication systems. Customers in geographic information systems (GIS), spatial analytics, regional ports of entry in the Persian Gulf, and various marine and freight transportation firms with a Middle Eastern focus have also been targeted.
According to Microsoft, "based on pattern-of-life analysis, extensive crossover in geographic and sectoral targeting with Iranian actors, and alignment of techniques and targets with another actor originating in Iran," this activity "likely supports the national interests of the Islamic Republic of Iran." Microsoft believes this targeting will help the Iranian government follow enemy security services and marine transportation in the Middle East to improve their contingency plans. Having access to commercial satellite photos and private shipping plans and logs might assist Iran in compensating for its growing satellite programme. Given Iran's previous cyber and military strikes on shipping and marine targets, Microsoft feels this action raises the danger for firms in these industries.