An advisory from the United States, Canada and Australia says Iranian cyber actors have spent the past year using “brute force” and other techniques to gain access to several critical infrastructure organizations and steal information.
The joint advisory issued Wednesday by the U.S. Cybersecurity and Infrastructure Agency and the FBI says the actors targeted organizations within the healthcare, government, IT, engineering, and energy sectors.
“The actors are likely aiming to obtain credentials and information describing the victim’s network which can then be sold to enable access to cybercriminals,” the warning read.
The Canadian Communications Security Foundation, the Australian Cyber Security Center and the Australian Federal Police joined US agencies in authoring the joint advisory, which says the activity dates back to October 2023.
“Brute force” techniques involve systematically guessing passwords in order to gain access to victims’ user and group email accounts, or using a password reset tool.
Iranian actors have also used “motive bombing” on accounts protected by multi-factor authentication (MFA) — bombarding users with notifications until the request is approved in error or MFA is turned off, the advisory says.
Actors then register their own devices with MFA to ensure they stay connected to the compromised account, according to the advisory.
Once logged in, the agencies say Iranian actors “scooped” the compromised networks to obtain additional credentials and other information that would allow access.
Get daily national news
Get the day’s top political, economic and current affairs news, headlines, delivered to your inbox once a day.
“The authoring agencies assess that Iranian actors are selling this information in cybercrime forums to actors who may use the information to conduct additional malicious activities,” the warning said.
The agencies say organizations can detect brute force activity by looking for repeated failed login attempts in their authentication logs, as well as logins and MFA authentications from “unexpected locations or from unfamiliar devices.” Checking IP addresses against known user accounts may also reveal compromised accounts.
Organizations can further protect themselves by reviewing password procedures, completely deleting accounts and credentials of departing employees, implementing phishing-resistant MFA, and continually reviewing MFA settings to protect “exploitable services.”
“These mitigations apply to critical infrastructure entities across sectors,” the advisory says.
This advisory was issued a day after Microsoft’s latest digital threat report identified Iran as a major cyber threat actor that, along with Russia and China, is increasingly relying on criminal networks to lead cyber espionage and hacking operations against adversaries such as the United States and its allies.
In one example, Microsoft analysts found that a criminal hacking group with ties to Iran infiltrated an Israeli dating site and then attempted to sell the personal information it obtained or demand a ransom. Microsoft concluded that the hackers sought to embarrass Israelis and make money.
American officials accused Iran of secretly supporting American protests against the Israeli conflict with Hamas in Gaza. Microsoft’s report said Iranian actors targeted the United States and its Middle East allies such as the United Arab Emirates and Bahrain over their perceived support for Israel in the broader Middle East conflict.
Networks linked to Iran, Russia and China have also targeted US voters, using fake websites and social media accounts to spread false and misleading claims about the upcoming US presidential election.
Iranian hackers targeted Donald Trump’s campaign and the email accounts of some supporters and stole some materials, which the FBI said the hackers unsuccessfully tried to sell to the Democratic campaign. Three Iranian agents were charged with the cyber attack.
Iran has denied any knowledge of or involvement in any cyber activity targeting other countries.
-With files from The Associated Press
&Copy 2024 Global News, a division of Corus Entertainment Inc.
