Iranian state-sponsored hacker groups are increasingly hitting IT services companies in India and Israel in attempt to obtain access to their customers’ networks. The analysts at Microsoft believe that these attacks are part of a broader cyber-espionage operation targeting organizations of interest to the Iranian regime.

“This activity is notable because targeting third parties has the potential to exploit more sensitive organizations by taking advantage of trust and access in a supply chain. Microsoft has observed multiple Iranian threat actors targeting the IT services sector in attacks that aim to steal sign-in credentials belonging to downstream customer networks to enable further attacks,” according to researchers at the Microsoft Threat Intelligence Center (MSTIC) and Digital Security Unit (DSU).

Microsoft said it has sent over 1,600 notifications to alert more than 40 IT companies of hacking attempts coordinated by Iranian APT groups. This represents a significant rise in attacks, compared to 48 notifications in 2020.

“The focus of several Iranian threat groups on the IT sector particularly spiked in the last six months – roughly 10-13% of our notifications were related to Iranian threat activity in the last six months, compared to two and a half percent in the six months prior,” Microsoft said, adding that most of the targets are located in India, Israel, and United Arab Emirates.

“As India and other nations rise as major IT services hubs, more nation state actors follow the supply chain to target these providers’ public and private sector customers around the world matching nation state interests.”

In July 2021, a hacker group that Redmond tracks as DEV-0228 and assesses as based in Iran, compromised an Israel-based IT company that provides business management software. The threat actor used this access to break into networks of the company’s downstream customers in the defense, energy, and legal sectors in Israel.

In September, Microsoft caught another Iranian threat actor, DEV-0056, compromising email accounts at a Bahrain-based IT integration company that works on IT integration with Bahrain Government clients. DEV-0056 also hacked various accounts at a partially government-owned organization in the Middle East that provide information and communications technology to the defense and transportation sectors. The group maintained persistence at the IT integration organization through at least October.

Since mid-August, DEV-0228 and DEV-0056, as well as other Iranian APTs have been increasingly targeting India-based IT companies.

“From mid-August to late September, we issued 1,788 nation state notifications (NSNs) across Iranian actors to enterprise customers in India, roughly 80% of which were to IT companies, an exponential rise from the 10 notifications we issued the previous three years in response to previous Iranian targeting,” Microsoft said.

“Iranian cyber actors have rarely targeted India, and the lack of pressing geopolitical issues that would have prompted such a shift suggests that this targeting is for indirect access to subsidiaries and clients outside India.”