Hackers associated with the Iranian government are trying to make it harder for cities in Israel and the Gulf states to respond to Iranian missile strikes by disrupting their Microsoft 365 platforms, according to a new report.
The attacks, which took place on three separate occasions in March, primarily targeted organizations in Israel (more than 300 targets) and the United Arab Emirates (approximately 25 targets), researchers at the Israeli cybersecurity firm Check Point Software Technologies said on Wednesday.
Municipal governments were the most common target, which Check Point said could be because of their role in responding to the aftermath of Iranian missile strikes. Iran has launched thousands of missiles and drones at Israel and other U.S. allies in the Middle East since the beginning of the war with the U.S. and Israel on Feb. 28.
“We observe some correlation between the targets of this campaign to cities that were targeted by missile attacks from Iran during March,” Check Point researchers wrote. “This suggests the campaign was likely intended to support kinetic operations and Bombing Damage Assessment (BDA) efforts.”
The hackers also targeted organizations in the energy, transportation and technology sectors, and a few of their targets were in the U.S., the U.K., Europe and Saudi Arabia, according to the report.
Check Point said it had moderate confidence that the campaign was the work of Iran-linked operatives, based in part on the nature of the targets and in part on M365 log data showing similarities to the Iran-linked group Gray Sandstorm.
The password-spraying attacks are the latest malicious cyber activity that researchers have attributed to Iran since the war began, following attacks on the medical-device vendor Stryker, an unnamed U.S. healthcare provider and the defense contractor Lockheed Martin.
Iran’s trademark tactic
The campaign used brute-force attacks on organizations’ login portals in repeated attempts to access systems with weak and common passwords. This password-spraying technique is a favorite initial access method of Iran-linked threat actors; Check Point said it’s seen at least two groups use it in the past.
The hackers used Tor during their initial login attempts and other VPNs during the full infiltration process after a successful login, making it harder to block their intrusions using static detection methods.
Advice to defenders
To block password-spraying attacks, Check Point urged organizations to review sign-in logs, enforce multifactor authentication, require strong passwords, enable audit logs and restrict where users can log in from, including through geofencing and Tor IP address bans.
Monitoring sign-in logs can help organizations “identify password spray behavior patterns,” Check Point said, “specifically multiple authentication failures across many distinct user accounts originating from the same source IP.”
Microsoft’s website also provides advice to organizations investigating possible password-spraying attacks.
