Image: Sina Drakhshani

Microsoft says Iranian-backed hacking groups have increasingly attempted to compromise IT services companies this year to steal credentials they could use to breach the systems of downstream clients.

According to security analysts at Microsoft Threat Intelligence Center (MSTIC) and Digital Security Unit (DSU), this activity is part of a wider espionage objective to compromise entities of interest to the Iranian regime.

"This activity is notable because targeting third parties has the potential to exploit more sensitive organizations by taking advantage of trust and access in a supply chain," Microsoft said.

"Microsoft has observed multiple Iranian threat actors targeting the IT services sector in attacks that aim to steal sign-in credentials belonging to downstream customer networks to enable further attacks."

Redmond has sent over 1,600 notifications to alert more than 40 IT companies of hacking attempts coordinated by Iranian APT groups.

This shows a staggering increase compared to 2020 when Microsoft only sent only 48 notifications the whole year.

Most of these attacks are focused on Indian IT services firms, with some of them also targeting several companies based in Israel and the United Arab Emirates.

Notifications sent to IT services companies (Microsoft)

As Microsoft revealed, two Iranian hacking groups tracked as DEV-0228 and DEV-0056 successfully breached IT companies from Israel and Bahrain in July and September:

  • In July 2021, a group that MSTIC tracks as DEV-0228 and assesses as based in Iran compromised a single Israel-based IT company that provides business management software. Based on MSTIC's assessment, DEV-0228 used access to that IT company to extend their attacks and compromise downstream customers in the defense, energy, and legal sectors in Israel. 
  • In September, we detected a separate Iranian group, DEV-0056, compromising email accounts at a Bahrain-based IT integration company that works on IT integration with Bahrain Government clients, who were likely DEV-0056's ultimate target. DEV-0056 also compromised various accounts at a partially government-owned organization in the Middle East that provide information and communications technology to the defense and transportation sectors, which are targets of interest to the Iranian regime. DEV-0056 maintained persistence at the IT integration organization through at least October.

Iranian threat actors have been in the spotlight during the last two weeks, with several advisories and reports warning of Iranian activity targeting organizations worldwide.

US, UK, and Australian cybersecurity agencies warned Thursday of ongoing exploitation of Microsoft Exchange ProxyShell and Fortinet vulnerabilities linked to an Iranian-sponsored hacking group and ransomware attacks.

One day earlier, the Microsoft Threat Intelligence Center (MSTIC) revealed that six Iranian hacking groups have started deploying ransomware and exfiltrating data from victims' systems starting in September 2020.

The FBI also warned in a TLP:AMBER private industry notification (PIN) of an Iranian threat actor attempting to buy stolen info associated with US and worldwide organizations from clear and dark web sources that could be used to breach their systems again.

Related Articles:

Microsoft Office LTSC 2024 preview available for Windows, Mac

Microsoft now testing app ads in Windows 11's Start menu

FBI warns of massive wave of road toll SMS phishing attacks

US Health Dept warns hospitals of hackers targeting IT help desks

CISA orders agencies impacted by Microsoft hack to mitigate risks