Earlier this month, the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) warned that hackers likely working for the Russian Federation Foreign Intelligence Service (SVR) could seek to exploit software vulnerabilities. This week, the FBI, NSA, and Cybersecurity and Infrastructure Security Agency (CISA) have issued another bulletin to warn network defenders of Iranian cyber actors’ use of brute force and other techniques to compromise organizations across multiple critical infrastructure sectors.
The U.S. agencies were joined by the Communications Security Establishment Canada (CSE), Australian
Federal Police (AFP), and Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) in issuing the bulletin. The release highlighted how hackers working at the behest of Tehran could target healthcare and public health (HPH), government, information technology, engineering, and energy sectors.
“The actors likely aim to obtain credentials and information describing the victim’s network that can then be sold to enable access to cybercriminals,” the bulletin suggested, and caution that since October of last year, the Iranian threat actors used a combination of brute force attacks.
These have included password spraying, and multifactor authentication (MFA) ‘push bombing’ to compromise user accounts and obtain access to organizations. The former method involves using a single common password or a handful of common passwords to access many accounts, while MFA push bombing is when the attackers send numerous calls or push notifications to a person’s authentication app or phone, in hopes that one will be accepted.
“The actors performed discovery on the compromised networks to obtain additional credentials and identify other information that could be used to gain additional points of access. The authoring agencies assess the Iranian actors sell this information on cybercriminal forums to actors who may use the information to conduct additional malicious activity,” the agencies further cautioned.
CISA and its partners also recommended that critical infrastructure organizations follow the provided guidance, as well as ensure all accounts use strong passwords and register a second form of authentication. The bulletin provided the actors’ believed tactics, techniques, and procedures (TTPs), as well as indicators of compromise (IOCs). The information was derived from FBI engagements with entities impacted by this malicious activity.
A New Cyber Axis
This week’s bulletin from the CISA, NSA, FBI, and foreign agencies highlights how greater coordinated efforts need to be taken given the rise in threats in recent months.
“Countries currently allied with Russia, including Iran, are heavily invested in information warfare as a result of a military deficit in comparison to the United States,” said Randall Schmollinger, a technology and political expert.
“For Iran specifically, the prize is knowledge and supplies for their nuclear program which they feel insecure without, and they’ve proven to be willing to use any tactics required to achieve nuclear armament,” Schmollinger told ClearanceJobs. “War in the Middle East looks very possible and a complete nuclear program is Iran’s only credible deterrent threat to the U.S. and avoiding becoming embroiled in a war in the Middle East.”
Tehran is looking at more than just collecting data for profit.
“Iran is attempting to gain as much information through hacks and other illicit means to shore up the military imbalance between themselves and the more technologically advanced Western states,” Schmollinger added. “The silver lining is that most hacking strategies are not specifically targeted at those containing nuclear secrets. Rather, they are casting a much wider net, which will eventually catch the attention of American enforcement agencies and counter-intel services, rendering the net ineffective.”
Brute Force Attacks on the Rise
The tactics now being employed by the Iranian cyber actors aren’t exactly all that sophisticated, yet the warnings prove they can still be quite effective.
“Google released a report noting 70% of exploited flaws disclosed in 2023 were zero-days. Mandiant released a report noting attackers have incredibly decreased the time it takes to convert a disclosed flaw into an easily available exploit product,” said Evan Dornbush, former NSA cybersecurity expert. “Microsoft released a report noting that 78% of nation-state activity is against the private sector, often in the form of for-profit actions. And CISA in collaboration with the UK and Australia are noting that criminals and governments are working together, sharing tools and access.”
The Iranian and Russian hackers as well as other cyber criminals will almost certainly continue to utilize a variety of cyber attacks so there really can’t be a one-size-fits-all response.
“The essential insight here is the necessity to evolve from purely reactive posturing, and shift to take proactive measures as part of one’s applied cybersecurity strategy,” Dornbush told ClearanceJobs. “The amount of money criminals can earn is getting too little attention. It is too costly to defend and too cheap to attack, and until we can affect a paradigm shift, things will continue to escalate.”