Beware! Iranian Cyberattacks Threaten Critical Infrastructure in Ongoing Global Campaign
In the ever-evolving world of cyber threats, one of the most alarming trends is the rise of state-sponsored cyberattacks targeting critical infrastructure. Recent joint advisories from cybersecurity and intelligence agencies across the U.S., Australia, and Canada reveal an ongoing year-long campaign by Iranian cyber actors aimed at key sectors like healthcare, energy, government, and information technology.
Table of Contents
The Methods Behind Iranian Cyberattacks
Since October 2023, Iranian cyber actors have employed brute-force attacks and password spraying to infiltrate organizations. These tactics involve systematically guessing passwords and overwhelming login systems to gain unauthorized access to user accounts. Sectors like healthcare, engineering, and government services are prime targets, given their sensitivity and importance.
One emerging tactic used by these attackers is multi-factor authentication (MFA) push bombing, also known as MFA fatigue. By flooding users with repeated MFA requests, the attackers hope to annoy or confuse victims into unintentionally approving access. Ray Carney, a cybersecurity expert at Tenable, suggests using phishing-resistant MFA or employing number matching for a safer authentication process.
The primary goal of these attacks is to steal credentials and detailed network information, which is then sold on underground forums. This creates opportunities for other cybercriminals to exploit compromised systems for further attacks, aligning with the broader cybersecurity landscape of collaboration between state-sponsored groups and organized cybercrime.
Advanced Attack Techniques
After initial access, Iranian attackers typically conduct thorough reconnaissance of the target’s systems. They use "living-off-the-land" (LotL) tools, which utilize the organization’s own infrastructure to remain undetected. Privilege escalation exploits, such as the well-known Zerologon vulnerability (CVE-2020-1472), help attackers move deeper into systems.
In many cases, attackers leverage remote desktop protocols (RDP) and tools like Cobalt Strike to establish command-and-control (C2) connections. Notably, they sometimes register their own devices with MFA systems, allowing them to maintain persistent access over long periods without raising suspicion.
Targeting Active Directory and Beyond
Iranian cyber actors are increasingly focusing on compromising Active Directory, the backbone of many enterprise IT environments. Active Directory plays a crucial role in managing user authentication and permissions across networks. The compromise of this system allows attackers to escalate privileges, giving them access to highly sensitive information and control over critical systems.
Recent shifts in the global threat landscape also point to a trend of collaboration between nation-state hacking groups and cybercriminal organizations. Microsoft’s 2024 Digital Defense Report highlights that Iranian state-sponsored attackers are not only conducting operations for geopolitical reasons but are also motivated by financial gain. By outsourcing parts of their operations to cybercriminals, they extend their reach while maintaining a lower profile.
What Organizations Can Do
To mitigate these risks, organizations in targeted sectors must take proactive measures:
- Implement phishing-resistant MFA wherever possible. If not feasible, use number matching as a secondary authentication option.
- Regularly audit and patch vulnerabilities, particularly in Active Directory and other critical systems.
- Train employees to recognize the signs of MFA fatigue and encourage them to report suspicious login attempts.
- Monitor network traffic for unusual activity, especially outbound connections to known C2 infrastructure.
- Collaborate with government agencies and industry peers to stay informed about the latest threats and best practices for defense.
The Road Ahead
As cyberattacks become more sophisticated and intertwined with global geopolitical objectives, businesses must be vigilant. The year-long campaign by Iranian cyber actors serves as a stark reminder that even the most robust security systems can be compromised without proper defenses in place.
Staying ahead of these threats requires constant adaptation, collaboration, and a commitment to cybersecurity best practices. While no system is impervious, informed and prepared organizations stand a far better chance of withstanding the growing wave of cyberattacks.