A new hacking group reportedly aligned with Iranian national interests has been observed executing a password spraying campaign aimed at defense technology companies in the U.S., European Union, and Israel. This campaign has also extended to regional ports of entry in the Persian Gulf and maritime companies operating in the Middle East, suggesting a wider strategy targeting critical industries.
Microsoft has identified this group as DEV-0343, noting their operations commenced in late July 2021. The attacks are believed to have impacted over 250 tenants of Office 365, with fewer than 20 successfully breached through a password spray technique. This method leverages a single password across multiple usernames, circumventing account lockouts typically associated with standard brute-force attempts.
Indicators suggest that these intrusions may form part of a broader campaign focused on intellectual property theft, specifically targeting partners involved in the production of military-grade technologies such as radars, drones, satellite systems, and emergency communication tools. The intent appears to be the acquisition of commercial satellite images and sensitive proprietary information.
The connection of DEV-0343 to Iran is bolstered by extensive similarities in geographical targeting and operational techniques shared with other Iranian cyber actors. Researchers from Microsoft’s Threat Intelligence Center (MSTIC) and Digital Security Unit (DSU) have elaborated on these correlations, establishing a link between the group’s tactics and those used by Iranian entities.
The password spraying attacks notably imitate the user behavior of Firefox and Google Chrome browsers, employing a range of unique Tor proxy IP addresses to obscure their operational framework. Microsoft documented a pronounced increase in attack frequency, particularly from Sunday to Thursday, peaking during late morning and early evening hours in Iran. The methodology entails targeting dozens to hundreds of accounts per organization, contingent on its size.
Additionally, Microsoft emphasized the similarities between the tools employed in these attacks and those available via o365spray, an open-source tool designed specifically for Office 365 credential attacks. To bolster defenses against such breaches, Microsoft urges organizations to implement multi-factor authentication and restrict inbound traffic from anonymizing services wherever feasible.
Access to valuable commercial satellite data and confidential shipping plans could significantly enhance Iran’s developing satellite capabilities. Given prior instances of cyber and military aggressions against shipping and maritime assets, Microsoft has warned that this activity heightens the risk faced by companies operating within these sectors.
