Iranian cyber actors have spent the past year using “brute force” and other techniques to gain access to multiple critical infrastructure organizations and steal information, an advisory from the U.S., Canada and Australia says.
The joint advisory released Wednesday by the U.S. Cybersecurity and Infrastructure Agency and the Federal Bureau of Investigation says the actors have targeted organizations within the health-care, government, information technology, engineering and energy sectors.
“The actors likely aim to obtain credentials and information describing the victim’s network that can then be sold to enable access to cybercriminals,” the advisory says.
Canada’s Communications Security Establishment, the Australian Cyber Security Centre and the Australian Federal Police joined the U.S. agencies in authoring the joint advisory, which says the activity dates back to October 2023.
“Brute force” techniques involve systematically guessing passwords in order to gain access to victims’ user and group email accounts, or using a password resetting tool.
The advisory says the Iranian actors also used “push bombing” on accounts protected by multi-factor authentication (MFA) — bombarding users with notifications until either the request is approved by mistake or MFA is turned off.
The actors then register their own devices with MFA to ensure they remain connected to the hacked account, according to the advisory.
Once logged in, the agencies say the Iranian actors performed “discovery” on the compromised networks to obtain additional credentials and other information that would allow access.
“The authoring agencies assess the Iranian actors sell this information on cybercriminal forums to actors who may use the information to conduct additional malicious activity,” the advisory says.
The agencies say organizations can detect brute force activity by looking for repeated failed login attempts in their authentication logs, as well as logins and MFA authentications from “unexpected locales or from unfamiliar devices.” Checking IP addresses against known user accounts may also reveal compromised accounts.
Organizations can further protect themselves by reviewing password procedures, completely deleting accounts and credentials for departed staff, implementing phishing-resistant MFA and consistently reviewing MFA settings to protect “exploitable services.”
“These mitigations apply to critical infrastructure entities across sectors,” the advisory says.
The advisory was released a day after Microsoft’s latest digital threats report identified Iran as a top cyber threat actor that, along with Russia and China, is increasingly relying on criminal networks to lead cyber espionage and hacking operations against adversaries like the U.S. and its allies.
In one example, Microsoft’s analysts found that a criminal hacking group with links to Iran infiltrated an Israeli dating site and then tried to sell or ransom the personal information it obtained. Microsoft concluded the hackers sought to embarrass Israelis and make money.
U.S. officials have accused Iran of covertly supporting American protests against Israel’s conflict with Hamas in Gaza. The Microsoft report said Iranian actors have targeted the U.S. and its Middle Eastern allies like the United Arab Emirates and Bahrain because of their perceived support of Israel in the wider Middle East conflict.
Networks tied to Iran, Russia and China have also targeted American voters, using fake websites and social media accounts to spread false and misleading claims about the upcoming U.S. presidential election.
Iranian hackers targeted Donald Trump’s campaign and email accounts of some supporters and stole some material, which the FBI said the hackers unsuccessfully tried to sell to the Democratic campaign. Three Iranian operatives have been charged with the cyber attack.
Iran has denied any knowledge of or involvement in cyber activity targeting other countries.
— with files from The Associated Press