Microsoft researchers have identified a hacking group linked to Iran, who’re targeting Office 365 accounts of personnel working in defense technology companies supporting the US, Israel, and European union Nations.
Dubbed as DEV-0343, the hacking group is found using password spraying techniques to compromise accounts, with unique passwords. Microsoft noted less than 20 companies falling victim already, and warned targeted companies with measures to secure.
Iranian Hackers Targeting US Defense
State-backed hackers, also known as APTs target sensitive institutions of other countries in order to steal secrets for development or hit them when needed through reconnaissance.
Microsoft has spotted a similar one recently and linked it to the Iranian government since techniques and targets are aligning with Iranian interests. This hacking group was dubbed as DEV-0343 by Microsoft Threat Intelligence Center (MSTIC) and Microsoft Digital Security Unit (DSU), who’re tracking it since late July this year.
The hacking group is found to be targeting defense technology companies like military-grade radar makers, drone technology, satellite systems, and emergency response communication systems, which aid countries like United States, European Union, and Israeli governments.
The group’s goal is to access the commercial satellite imagery and proprietary shipping plans and logs, that can benefit the development of Iran’s satellite program. And for this, they’re spotted using password spraying technique to Office 365 accounts of people working in the above-said defense companies.
To date, Microsoft found less than 20 companies falling victim to this group, and have notified others with information on detection and prevention. The measures include;
- Extensive inbound traffic from Tor IP addresses for password spray campaigns
- Emulation of Firefox (most common) or Chrome browsers in password spray campaigns
- Enumeration of Exchange ActiveSync (most common) or Autodiscover endpoints
- Use of enumeration/password spray tool similar to the ‘o365spray’ tool
- Use of Autodiscover to validate accounts and passwords
- Observed password spray activity commonly peaking between 04:00:00 and 11:00:00 UTC.
And to defend against DEV-0343,
- Enable multifactor authentication to mitigate compromised credentials.
- Microsoft strongly encourages all customers to download and use passwordless solutions.
- Review and enforce recommended Exchange Online access policies:
- Block all incoming traffic from anonymizing services where possible.