Microsoft has raised an alarm about a massive surge in Iranian state-sponsored hacking attempts against IT services firms.

According to Microsoft, attacks from state-sponsored Iranian hackers on IT services firms were virtually non-existent in 2020, but this year exceeded 1,500 potential attacks. 

“Microsoft has observed multiple Iranian threat actors targeting the IT services sector in attacks that aim to steal sign-in credentials belonging to downstream customer networks to enable further attacks,” it said.


See also: A winning strategy for cybersecurity (ZDNet special report).


Most of the targeting is focused on IT services companies based in India, as well as several companies based in Israel and the United Arab Emirates. Microsoft said that these attacks are another example of how nation-state actors are increasingly targeting supply chains as an indirect approach to their real targets.

“Until July 2021, Microsoft had observed relatively little history of Iranian actors attacking Indian targets,” Microsoft said in a blogpost from its Threat Intelligence Center (MSTIC) and Digital Security Unit (DSU).

“Iranian threat actors are increasing attacks against IT services companies as a way to access their customers’ networks. This activity is notable because targeting third parties has the potential to exploit more sensitive organizations by taking advantage of trust and access in a supply chain.”

It would seem Iranian hackers have learned lessons from successful software supply-chain hacks, such as the attack on SolarWinds, which targeted US federal agencies and key US cybersecurity firms, including Microsoft: the US and UK blamed that attack on Russia’s Foreign Intelligence Service. 

Microsoft says the Iranian attacks on IT services firms have trended upwards significantly in the past six months. 

“As India and other nations rise as major IT services hubs, more nation-state actors follow the supply chain to target these providers’ public and private sector customers around the world matching nation-state interests,” Microsoft noted. 

Microsoft said it issued 1,788 nation-state notifications about Iranian actors to enterprise customers in India from mid-August to late September, roughly 80% of which were to IT companies, up from just 10 notifications issued in the previous three years in response to previous Iranian targeting. 

“Iranian cyber actors have rarely targeted India, and the lack of pressing geopolitical issues that would have prompted such a shift suggests that this targeting is for indirect access to subsidiaries and clients outside India,” Microsoft said.

Microsoft is tracking the emerging threat actor as DEV-0228. This week, Microsoft also highlighted Iran’s growing interest in using ransomware to disrupt targets and coordinate these attacks with physical operations. 


See also: Dark web crooks are now teaching courses on how to build botnets.


The US, UK, and Australian governments subsequently urged admins to immediately patch Exchange email server and Fortinet VPN vulnerabilities. And last month, Microsoft warned that Iranian hackers were using password attacks against 250 Israeli and US organizations operating in the Persian Gulf

DEV-0228 used access to an IT company to extend compromise customers in the defense, energy, and legal sectors in Israel, according to Microsoft. 

“DEV-0228 dumped credentials from the on-premises network of an IT provider based in Israel in early July. Over the next two months, the group compromised at least a dozen other organizations, several of which have strong public relations with the compromised IT company,” it said.