Paul Prudhomme, Head of Threat Intelligence Advisory at Insights, a Rapid 7 Company
The recent announcement by Microsoft that Iran-linked hackers targeted Office 365 users of US and Israeli defence technology companies isn’t much of a surprise, particularly as the US and Israel are top targets of Iranian cyber activity due to their long-standing rivalry with the current Iranian government.
Disruption and destruction have been a constant feature of state-sponsored Iranian attacks since 2012 and government agencies and defence contractors are their top targets due to the political and military intelligence, and the defence intellectual property they hold.
It is therefore, not a surprise that Iran have been linked to a password-guessing attack on Office 365 accounts of defence companies, which, according to Microsoft, had similar techniques and targets to other Iran-linked threat actors. The end goal was to gain access to commercial satellite imagery and proprietary shipping plans and logs, which would be used to improve Iran’s satellite programme.
State-sponsored Iranian actors are generally less sophisticated than their more advanced and well-resourced counterparts in Russia or China. For example, they rarely exploit the zero-day vulnerabilities that their more technical allies may exploit. They also often practice weaker operational security that enables security researchers, governments, and victims to detect and attribute their attacks.
While they may be less sophisticated in some areas of cyber war, Iranian actors are equally capable, if not more so, in the area of social engineering. Iran have been known to use other methods of social engineering in the past. For example, they often invest considerable effort in developing more elaborate social engineering personas on LinkedIn and elsewhere to persuade potentially suspicious targets to open malicious links or attachments.
The US and Israel have not been the only victims of cyber-attacks, with Saudi Arabia and the UAE seen as key targets for Iran as well. Saudi Arabia tensions with Iran arose due to a variety of political, economic, sectarian, and ethnic factors, including their participation in a regional proxy war in Yemen. The UAE, on the other hand is a target due to a wider range of factors, including diplomatic and economic tensions, the roles of Dubai and Abu Dhabi as global business and transportation hubs, and the presence of many Iranian expatriates in the UAE.
Iran have not only targeted key military and political targets but also economic targets as well. For example, the Shamoon wiper malware attacks on the national oil & gas companies of Saudi Arabia and Qatar set a precedent for future wiper malware attacks on that sector, primarily in the Persian Gulf, in subsequent years.
Government and defence organisations will always be top targets for nation-state attackers. It is therefore imperative that se organisations invest in robust security measures to protect themselves from attacks such as this one. Password guessing attacks can be mitigated relatively easily by implementing two-factor authentication and updating passwords regularly.
Organisations should seek to understand which state-sponsored actors are most likely to attack them in order to enhance their defences against such attacks as many state-sponsored actors target specific industries and/or specific geographic areas in order to achieve their objectives.
Attacks can also highlight which specific types of information and infrastructure threat actors are most likely to target, therefore security teams can enhance the defences of those specific targets with solutions such as encryption and network segmentation.
Cyber-attacks by Iran-sponsored actors show no sign of slowing down, therefore the US and its allies must ensure they have adequate defences to protect sensitive information falling into the hands of its political rival.