19 November 2021

Iranian state-backed hackers increasingly target IT services sector, Microsoft says


Iranian state-backed hackers increasingly target IT services sector, Microsoft says

Iranian state-sponsored hacker groups are increasingly hitting IT services companies in India and Israel in attempt to obtain access to their customers’ networks. The analysts at Microsoft believe that these attacks are part of a broader cyber-espionage operation targeting organizations of interest to the Iranian regime.

“This activity is notable because targeting third parties has the potential to exploit more sensitive organizations by taking advantage of trust and access in a supply chain. Microsoft has observed multiple Iranian threat actors targeting the IT services sector in attacks that aim to steal sign-in credentials belonging to downstream customer networks to enable further attacks,” according to researchers at the Microsoft Threat Intelligence Center (MSTIC) and Digital Security Unit (DSU).

Microsoft said it has sent over 1,600 notifications to alert more than 40 IT companies of hacking attempts coordinated by Iranian APT groups. This represents a significant rise in attacks, compared to 48 notifications in 2020.

“The focus of several Iranian threat groups on the IT sector particularly spiked in the last six months – roughly 10-13% of our notifications were related to Iranian threat activity in the last six months, compared to two and a half percent in the six months prior,” Microsoft said, adding that most of the targets are located in India, Israel, and United Arab Emirates.

“As India and other nations rise as major IT services hubs, more nation state actors follow the supply chain to target these providers’ public and private sector customers around the world matching nation state interests.”

In July 2021, a hacker group that Redmond tracks as DEV-0228 and assesses as based in Iran, compromised an Israel-based IT company that provides business management software. The threat actor used this access to break into networks of the company’s downstream customers in the defense, energy, and legal sectors in Israel.

In September, Microsoft caught another Iranian threat actor, DEV-0056, compromising email accounts at a Bahrain-based IT integration company that works on IT integration with Bahrain Government clients. DEV-0056 also hacked various accounts at a partially government-owned organization in the Middle East that provide information and communications technology to the defense and transportation sectors. The group maintained persistence at the IT integration organization through at least October.

Since mid-August, DEV-0228 and DEV-0056, as well as other Iranian APTs have been increasingly targeting India-based IT companies.

“From mid-August to late September, we issued 1,788 nation state notifications (NSNs) across Iranian actors to enterprise customers in India, roughly 80% of which were to IT companies, an exponential rise from the 10 notifications we issued the previous three years in response to previous Iranian targeting,” Microsoft said.

“Iranian cyber actors have rarely targeted India, and the lack of pressing geopolitical issues that would have prompted such a shift suggests that this targeting is for indirect access to subsidiaries and clients outside India.”

Back to the list

Latest Posts

Amid Pegasus scandal, Israel bans cyber software sales to 65 countries

Amid Pegasus scandal, Israel bans cyber software sales to 65 countries

Dropped countries include such countries as Morocco, Mexico, Saudi Arabia, or the UAE.
26 November 2021
CronRAT: New Linux malware that hides behind February 31 to stay undetected

CronRAT: New Linux malware that hides behind February 31 to stay undetected

The malware hides in the Linux calendar system and enables server-side Magecart data theft which bypasses browser-based security solutions.
26 November 2021
New malware campaign targets crypto, NFT and DeFi communities via Discord

New malware campaign targets crypto, NFT and DeFi communities via Discord

The Babadeda crypter is able to bypass signature-based antivirus solutions and was previously observed in malicious campaigns distributing RATs, and LockBit ransomware.
26 November 2021