Situation Report: Microsoft reports Iranian hackers behind attacks on US and Israeli defense companies

On October 12, Microsoft released evidence identifying a group of Iranian hackers targeting U.S. and Israeli defense technology companies. The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Digital Security Unit (DSU) reported in a blog post that beginning in July, more than 250 Office 365 users were targeted in extensive password spraying. Although U.S. and Israeli technology companies were primarily attacked, Persian Gulf ports of entry and other global maritime companies that function in the Middle East were also targeted.

MSTIC and DSU contributed the attacks to the “national interests of the Islamic Republic of Iran based on pattern-of-life analysis, extensive crossover in geographic and sectoral targeting with  Iranian actors, and alignment of techniques and targets with another actor originating in Iran.”

Tehran plays a significant role in the cyberespionage space and has been accused of carrying out numerous attacks in recent years. On October 6, Iranian-state sponsored groups were accused of carrying out cyberattacks on various aerospace and telecommunications companies in Israel. The U.S.-Israeli cybersecurity firm Cybereason reported that the Iranian-based hacking group called “MalKamak” perpetuated the attack to gain intelligence on the infrastructure and critical assets of companies in Israel, the U.S., Europe and Russia.

In July, top-secret documents indicating Iran is planning various cyberattacks came to light. The files, published by the U.K. based outlet Sky News, allege Tehran was gathering intelligence on civilian infrastructure in western countries, including the U.S., UK and France, that “could be used to identify targets for future cyber- attacks.” In May 2021, Iran was linked to a cyberattack that aimed to target Israeli water supply systems. The attack intended to disrupt water systems in rural Israeli communities by incapacitating water flow and wastewater treatment facilities.

Additionally, Tehran was accused of targeting U.S. political groups and presidential campaigns in 2020. At this time, Microsoft reported that the Iranian cyberespionage group “Phosphorus” targeted the “personal accounts of Trump campaign staffers.”

Although Tehran carries out cyberattacks in various sectors, Iranian intelligence services have prioritized cyberattacks targeting shipping and maritime interests in the Strait of Hormuz. Iran sits on this critical and strategic waterway that almost a fifth of the globe’s oil consumption passes through regularly. The head of MSTIC, John Lambert, warned that U.S. and Israeli companies in the maritime sectors should raise their network defenses in light of this most recent round of cyberespionage.