By: Ravie Lakshmanan
An emerging threat actor likely supporting Iranian national interests has been behind a password spraying campaign targeting US, EU, and Israeli defense technology companies, with additional activity observed against regional ports of entry in the Persian Gulf as well as maritime and cargo transportation companies focused in the Middle East.
Microsoft is tracking the hacking crew under the moniker DEV-0343.
The intrusions, which were first observed in late July 2021, are believed to have targeted more than 250 Office 365 tenants, fewer than 20 of which were successfully compromised following a password spray attack — a type of brute force attack wherein the same password is cycled against different usernames to log into an application or a network in an effort to avoid account lockouts.
Indications thus far allude to the possibility that the activity is part of an intellectual property theft campaign aimed at government partners producing military-grade radars, drone technology, satellite systems, and emergency response communication systems with the likely goal of stealing commercial satellite images and proprietary information.
DEV-0343’s Iranian connection is based on evidence of “extensive crossover in geographic and sectoral targeting with Iranian actors, and alignment of techniques and targets with another actor originating in Iran,” researchers from Microsoft Threat Intelligence Center (MSTIC) and Digital Security Unit (DSU) said.
The password sprays emulate Firefox and Google Chrome browsers and rely on a series of unique Tor proxy IP addresses expressly used to obfuscate their operational infrastructure. Noting that the attacks peaked between Sunday and Thursday from 7:30 AM to 8:30 PM Iran Time (4:00 AM to 5:00 PM UTC), Microsoft said dozens to hundreds of accounts within an entity were targeted depending on the size.
The Redmond-based tech giant also pointed out the password spraying tool’s similarities to that of “o365spray,” an actively updated open-source utility aimed at Microsoft Office 365, and is now urging customers to enable multi-factor authentication to mitigate compromised credentials and prohibit all incoming traffic from anonymizing services wherever applicable.
“Gaining access to commercial satellite imagery and proprietary shipping plans and logs could help Iran compensate for its developing satellite program,” the researchers said. “Given Iran’s past cyber and military attacks against shipping and maritime targets, Microsoft believes this activity increases the risk to companies in these sectors.”