Introduction

Intelligence and law enforcement agencies in Australia [1], Canada [1] [4] [5] [9], and the United States have identified a sustained cyber campaign by Iranian actors targeting critical infrastructure sectors. This campaign, which began in October 2022 [1], employs sophisticated techniques to compromise systems across various industries, posing significant risks to public safety and data integrity.

Description

Intelligence and law enforcement agencies in Australia [1], Canada [1] [4] [5] [9], and the US have reported a year-long campaign by Iranian cyber actors targeting critical infrastructure organizations, which began in October 2022 [1]. This campaign affects multiple sectors, including healthcare [1] [4] [5] [6] [7] [10], public health [3], education [7], government [1] [2] [3] [4] [5] [6] [9] [10] [11], information technology [1] [4] [6] [10], engineering [1] [2] [3] [4] [5] [6] [9] [10], and energy [1] [3] [5] [6] [9] [10], employing aggressive password-cracking techniques such as brute force attacks, password spraying [2] [3] [5] [6] [7] [8] [9] [11], and multifactor authentication (MFA) fatigue [2] [3] [4] [5] [6] [9] [11], also known as “push bombing.” This latter technique involves overwhelming users with repeated mobile phone notifications until they inadvertently approve unauthorized access requests or disable the notifications.

These threat actors gain initial access to systems like Microsoft 365, Azure [3] [5] [6] [7], and Citrix through valid user accounts, often utilizing tactics such as MFA fatigue to deceive users. Once inside [7] [10] [11], they conduct reconnaissance to gather victim identity information and frequently modify MFA registrations to maintain persistent access. Reports indicate that these Iranian cybercriminals sell stolen credentials and access on dark web forums, facilitating subsequent attacks by ransomware gangs and other cybercriminals [11]. Their focus on essential services poses risks of significant disruptions [11], public safety endangerment [11], and the compromise of sensitive data [11].

In confirmed incidents [3] [5], attackers have exploited compromised users’ open MFA registrations to register their own devices and have utilized self-service password reset tools associated with public-facing Active Directory Federation Services to reset accounts with expired passwords [5]. They often exploit publicly accessible password reset systems to gain entry [2], and their malicious activities are frequently conducted via a VPN [5], with some actions traced back to exit nodes of the Private Internet Access VPN service [6]. They employ living off the land techniques [6], utilizing Remote Desktop Protocol (RDP) and PowerShell for lateral movement within networks [2], to gather information about target systems and internal networks [6].

Additionally, the actors leverage open-source tools and methodologies, such as Kerberos Service Principal Name enumeration [3] [6], to escalate privileges and gather further credentials [6]. In some instances [6] [9], they have downloaded files related to remote access and organizational inventory [6], likely for exfiltration or resale [6]. Notably, the Iranian-backed group CyberAv3ngers has been implicated in a breach at the Municipal Water Authority of Aliquippa [8], exploiting vulnerabilities in Israeli-made Unitronics PLCs [8].

To detect their activities [6], organizations are advised to monitor authentication logs for repeated failed login attempts, unusual logins from unexpected IP addresses or devices, and suspicious login activities such as changing usernames and “impossible travel” patterns [9]. Security teams should also be vigilant for signs of credential dumping and other suspicious activities, with specific Indicators of Compromise (IoCs) provided [3], including file hashes [3], IP addresses [3] [7], and device information [2] [3]. Mitigations suggested include implementing strong password policies [6], deleting accounts of departed staff [10], enabling phishing-resistant MFA [7] [9] [10], and regularly auditing MFA settings [7] [10], in line with the Cross-Sector Cybersecurity Performance Goals developed by the Cybersecurity and Infrastructure Security Agency (CISA) [6]. Software manufacturers are encouraged to adopt secure design principles to enhance customer security against compromised credentials [6]. NIST’s recent guidelines advocate for longer [9], more randomized passwords and suggest that users should only change their login information when there is evidence of a compromise [9].

It is important to note that intrusion events may also involve third-party actors who purchase access from the Iranian group, indicating that some tactics [6], techniques [1] [2] [3] [5] [6] [8] [9] [10] [11], and procedures (TTPs) and indicators of compromise (IOCs) may be associated with these third-party actors rather than the Iranian group itself [6]. Caution is advised when attributing malicious activities based solely on TTPs and IOCs [6], as the ongoing threat landscape indicates that these cyberthreat actors continue to utilize basic brute force attack methods to infiltrate systems and disrupt critical infrastructure [7]. The specific Iranian threat groups known as Br0k3r [11], Fox Kitten [11], and Pioneer Kitten have been identified as being backed by Iran and are associated with numerous global breaches [11], selling full domain control and credentials to ransomware affiliates and other threat actors [11]. The Microsoft Digital Defense Report 2024 indicates that state-affiliated actors [8], including Iran [2] [8], are increasingly collaborating with cybercriminals to achieve financial and intelligence-gathering objectives [8], utilizing common tools and frameworks [8]. The consequences of these compromises can lead to ransomware attacks [2], data breaches [2] [8], supply chain disruptions [2], and significant impacts on downstream users [2], including potential power outages or water contamination [2]. Critical infrastructure operators are urged to address these threats responsibly and review the latest advisories to implement recommended mitigations effectively.

Conclusion

The ongoing cyber campaign by Iranian actors underscores the critical need for robust cybersecurity measures across all sectors. Organizations must remain vigilant, implementing recommended mitigations to protect against unauthorized access and potential disruptions. As cyber threats continue to evolve, collaboration between international agencies and adherence to updated security guidelines will be essential in safeguarding critical infrastructure and maintaining public safety.

References

[1] https://www.infosecurity-magazine.com/news/iran-hackers-cni-brute-force/
[2] https://www.cyberdaily.au/security/11254-aussie-agencies-join-with-international-partners-to-warn-of-iranian-hacking-campaign
[3] https://thecyberexpress.com/iran-brute-force-attacks/
[4] https://cyberscoop.com/iranian-hackers-are-going-after-critical-infrastructure-sector-passwords-agencies-caution/
[5] https://www.cybersecuritydive.com/news/iran-linked-attacks-critical-infrastructure/730167/
[6] https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-290a
[7] https://www.techtarget.com/healthtechsecurity/news/366613920/Iranian-cyberactors-use-brute-force-to-target-healthcare
[8] https://www.waterisac.org/portal/joint-advisory-%E2%80%93-iranian-cyber-actors-targeting-critical-infrastructure-organizations-using
[9] https://www.inforisktoday.com/iranian-hackers-using-brute-force-on-critical-infrastructure-a-26542
[10] https://globalnews.ca/news/10814131/cybersecurity-iran-brute-force-canada-us/
[11] https://www.bitdefender.com/en-gb/blog/hotforsecurity/iranian-hackers-fuel-cybercrime-with-infrastructure-access-deals/