- Cyber Syrup
- Posts
- Iranian State-Sponsored Threat Actors Target Critical Infrastructure
Iranian State-Sponsored Threat Actors Target Critical Infrastructure
A joint advisory has revealed that Iranian state-sponsored threat actors have launched cyberattacks targeting critical infrastructure, organizations, and government agencies
CYBER SYRUP
Delivering the sweetest insights on cybersecurity.
Learn AI in 5 Minutes a Day
AI Tool Report is one of the fastest-growing and most respected newsletters in the world, with over 550,000 readers from companies like OpenAI, Nvidia, Meta, Microsoft, and more.
Our research team spends hundreds of hours a week summarizing the latest news, and finding you the best opportunities to save time and earn more using AI.
Iranian State-Sponsored Threat Actors Target Critical Infrastructure
A joint advisory issued by government agencies in the United States, Canada, and Australia has revealed that Iranian state-sponsored threat actors have launched a series of cyberattacks targeting critical infrastructure organizations and government agencies. Since October 2023, these attackers have used brute-force methods, password spraying, and multi-factor authentication (MFA) “push bombing” techniques to compromise user accounts and gain access to organizational networks.
This article explains the nature of these attacks, who is at risk, and what steps can be taken to protect against these threats.
Understanding the Attack Techniques
Brute Force and Password Spraying
Password spraying is a technique in which an attacker attempts to gain unauthorized access to multiple accounts by systematically guessing common passwords across many users, rather than focusing on a single account. This method avoids triggering account lockouts, which usually occur after too many failed attempts on one account.
MFA Push Bombing
Another tactic employed by the Iranian actors is MFA push bombing, where they flood users with MFA notifications in hopes that a user will approve the request, allowing unauthorized access. This tactic takes advantage of MFA's reliance on user confirmation to approve logins.
Use of Reconnaissance and Persistent Access
Once inside the network, the attackers engage in reconnaissance, exploring the victim’s network to harvest credentials and escalate privileges. The attackers use this information to modify MFA registrations, allowing them to maintain access over time. They also leverage legitimate tools like Remote Desktop Protocol (RDP) and Virtual Private Networks (VPNs) to move laterally within the system and continue their exploitation unnoticed.
Selling Stolen Information
According to the joint advisory, the compromised credentials and information are often sold on cybercriminal forums, where other threat actors can purchase and use this data to launch further attacks.
Who Is at Risk?
The sectors most vulnerable to these attacks include:
Energy: Power grids, oil and gas facilities, and renewable energy companies are frequent targets due to their importance in national infrastructure.
Engineering: Firms that handle sensitive designs or blueprints may be attacked for industrial espionage or sabotage.
Government Agencies: Especially those handling defense, law enforcement, or public safety data.
Healthcare and Public Health (HPH): Medical data and healthcare systems are high-value targets for espionage or ransomware.
Information Technology (IT): Tech companies are particularly vulnerable, as their infrastructure may provide attackers with pathways to other sectors.
Organizations in these sectors need to be especially vigilant, as the attacks have targeted both proprietary information and public-facing services.
How to Protect Yourself
Implement Strong Security Practices
Organizations can protect themselves by reviewing their IT helpdesk password management and enforcing strong password policies that make brute-force attacks less likely to succeed. It’s crucial to ensure that no former employee accounts are still active, as these can be easily compromised.
Phishing-resistant MFA is essential. Instead of relying on push notifications, which can be abused through MFA push bombing, organizations should consider alternatives like hardware tokens or biometric authentication that offer more robust security.
Monitoring for Suspicious Activity
Regularly reviewing authentication logs is critical for identifying unusual activity. Look for signs like multiple failed login attempts, suspicious logins from geographically distant IP addresses, or strange user-agent strings that may indicate automated credential dumping.
Suspicious MFA registrations or unexpected activity from dormant accounts can also be red flags for malicious activity. Anomalies like these should be addressed immediately to prevent unauthorized access.
Employee Training and Awareness
Organizations should provide cybersecurity training for employees, particularly regarding how to recognize phishing attempts and avoid falling victim to social engineering. Training should emphasize the importance of verifying suspicious login requests, especially when it comes to MFA push notifications.
Security Program Validation
It's important to validate your security program against recognized frameworks such as MITRE ATT&CK for Enterprise. This provides a comprehensive understanding of how adversaries operate and can help you build a defense strategy tailored to specific threat actor tactics, techniques, and procedures (TTPs).
Conclusion
Iranian state-sponsored threat actors pose a significant risk to critical infrastructure organizations, particularly in sectors such as energy, healthcare, and government. These attackers use sophisticated techniques, including brute-force attacks, password spraying, and MFA manipulation, to gain access to sensitive systems and data.
Organizations must act proactively to strengthen their cybersecurity defenses by implementing strong password policies, ensuring robust MFA practices, monitoring for suspicious activity, and training employees. By taking these precautions, organizations can reduce the risk of falling victim to these persistent and evolving cyber threats.