Iranian hackers recently attempted to breach over 250 “Microsoft Office 365” accounts belonging to U.S. and Israeli government-linked defense tech firms, as well as companies tied to Persian Gulf ports of entry and Middle East-based maritime shipping, Microsoft reported Monday.
In a blog post published October 11, the Microsoft Threat Intelligence Center (MSTIC) said it “first observed and began tracking” the attempted breaches by Iran-based hackers in late July. The cybercriminals conducted “extensive password spraying against more than 250 Office 365 tenants, with a focus on US and Israeli defense technology companies, Persian Gulf ports of entry, or global maritime transportation companies with business presence in the Middle East.”
While “less than 20 of the targeted tenants were successfully compromised,” the hacking unit “continues to evolve” its techniques for future cyberattacks, MSTIC warned.
Microsoft, a U.S.-based multinational tech corporation with strong ties to the U.S. government, did not name the companies targeted by the Tehran-allied hackers, though it did provide additional details about the hacking victims. The tech giant described them as “defense companies that support United States, European Union, and Israeli government partners producing military-grade radars, drone technology, satellite systems, and emergency response communication systems.”
According to MSTIC’s analysis:
This activity likely supports the national interests of the Islamic Republic of Iran based on pattern-of-life analysis, extensive crossover in geographic and sectoral targeting with Iranian actors, and alignment of techniques and targets with another actor originating in Iran.
Information gleaned by the hackers during their successful breaches might help Tehran track “adversary security services and maritime shipping in the Middle East,” the cyber threat expert group added.
“Gaining access to commercial satellite imagery and proprietary shipping plans and logs could help Iran compensate for its developing satellite program,” MSTIC observed.
“Password spraying,” or the technique used by the Iran-based unit to gain access to the Microsoft Office accounts, “is a traditional brute force attack in which the hackers try to obtain access to as many accounts as possible by trying common passwords – each time from a different IP address,” the Times of Israel noted on October 12.
“This allows them to evade some of the automatic defenses for protecting passwords and accounts. The goal is to find an account to enter the organization – and use it to continue on from the inside,” the newspaper explained.
Microsoft published a separate “Digital Defense Report” on October 7 in which it claimed Tehran increased its hacks of Israeli entities by four times over the last year.
“Microsoft detected an increased focus from a growing number of Iranian groups targeting Israeli entities … and with that focus came a string of ransomware attacks,” the report stated.