Cybersecurity agencies from the U.S., Canada, and Australia issued a warning about Iranian cyber hackers compromising critical infrastructure through brute force and credential access techniques. Since last October, these cyber hackers have targeted user accounts in sectors such as healthcare, public health, government, information technology, engineering, and energy. The advisory outlines known indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) employed by Iranian hackers affecting various critical infrastructure sectors; and advises critical infrastructure operators to follow guidance and use strong passwords with two-factor authentication.
In an advisory, titled ‘Iranian Cyber Actors Brute Force and Credential Access Activity Compromises Critical Infrastructure,’ the U.S. Cybersecurity and Infrastructure Security Agency (CISA) along with the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), the Communications Security Establishment Canada (CSE), the Australian Federal Police (AFP), and Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), noted that the Iranian hackers used brute force, such as password spraying, and multifactor authentication (MFA) ‘push bombing’ to compromise user accounts and obtain access to organizations.
“The actors likely conduct reconnaissance operations to gather victim identity information. Once obtained, the actors gain persistent access to victim networks frequently via brute force,” the advisory disclosed. “After gaining access, the actors use a variety of techniques to further gather credentials, escalate privileges, and gain information about the entity’s systems and network. The actors also move laterally and download information that could assist other actors with access and exploitation.”
It added that the hackers frequently modified MFA registrations, enabling persistent access. “The actors performed discovery on the compromised networks to obtain additional credentials and identify other information that could be used to gain additional points of access. The authoring agencies assess that the Iranian actors sell this information on cybercriminal forums to actors who may use the information to conduct additional malicious activity.”
The Iranian hackers used valid user and group email accounts, frequently obtained via brute force such as password spraying although other times via unknown methods, to obtain initial access to Microsoft 365, Azure, and Citrix systems. In some cases where push notification-based MFA was enabled, the hackers send MFA requests to legitimate users seeking acceptance of the request. This technique—bombarding users with mobile phone push notifications until the user either approves the request by accident or stops the notifications— is known as ‘MFA fatigue’ or ‘push bombing.’
The hackers frequently conduct their activity using a virtual private network (VPN) service. Several IP addresses in the hackers’ malicious activity originate from exit nodes tied to the Private Internet Access VPN service. They also use Remote Desktop Protocol (RDP) for lateral movement. In one instance, the hackers used Microsoft Word to open PowerShell to launch the RDP binary mstsc[dot]exe. Also, the advisory revealed that the hackers likely used open-source tools and methodologies to gather more credentials. The hackers performed Kerberos Service Principal Name (SPN) enumeration of several service accounts and received Kerberos tickets.
The advisory revealed that the Iranian hackers leverage living off the land (LOTL) to gain knowledge about the target systems and internal networks. The hackers used Windows command-line tools to gather information about domain controllers, trusted domains, lists of domain administrators, and enterprise administrators. Also, in a couple of instances, while logged in to victim accounts, the adversaries downloaded files related to gaining remote access to the organization and to the organization’s inventory, likely exfiltrating the files to further persist in the victim network or to sell the information online.
To detect brute force activity, the advisory suggests reviewing authentication logs for system and application login failures of valid accounts and looking for multiple, failed authentication attempts across all accounts.
Also, to detect the use of compromised credentials in combination with virtual infrastructure, the agencies recommend looking for ‘impossible logins,’ such as suspicious logins with changing usernames, user agent strings, and IP address combinations or logins where IP addresses do not align to the user’s expected geographic location; and looking for one IP used for multiple accounts, excluding expected logins. Furthermore, looking for ‘impossible travel,’ which occurs when a user logs in from multiple IP addresses with significant geographic distance.
The advisory calls upon critical infrastructure operations to keep an eye out for MFA registrations with MFA in unexpected locales or from unfamiliar devices; processes and program execution command-line arguments that may indicate credential dumping, especially attempts to access or copy the ntds[dot]dit file from a domain controller; and looking for suspicious privileged account use after resetting passwords or applying user account mitigations. It further suggests looking for unusual activity in typically dormant accounts and looking for unusual user agent strings, such as strings not typically associated with normal user activity, which may indicate bot activity.
Commenting on the advisory, John Terrill, CISO of Phosphorus Cybersecurity, wrote in an emailed statement that the CISA clearly has a thorough understanding of this threat hacker’s techniques. “There’s nothing particularly groundbreaking from this alert as it follows a series of common patterns that could be described as “textbook APT”. I think what’s interesting is how common MFA bypass has become. Push bombing or MFA fatigue was really only observed in account takeovers related to crypto accounts. This could be a natural progression of the actors’ TTPs but it could also signal an escalation which is why CISA felt necessary to publish this alert.”
He added that brute forcing accounts and exploiting default or weak passwords is nothing new. “While IoT and OT devices commonly face this problem, the assumption was modern IT environments had a better handle on it. Given the common, almost textbook recommendations in the advisory, I’m surprised CISA felt the need to release this.”
Given the effect of these Iranian hackers, the cybersecurity agencies prescribe a couple of mitigations that critical infrastructure installations can adopt to enhance cybersecurity posture, based on the actors’ TTPs. These measures align with CISA’s cross-sector cybersecurity performance goals (CPGs), linked to the NIST Cybersecurity Framework, designed to reduce risks to critical infrastructure and the public. These voluntary CPGs help small- and medium-sized organizations start cybersecurity efforts by prioritizing key actions with substantial security impacts.
Organizations should review IT helpdesk password management, focusing on initial passwords, user lockout resets, and shared accounts to ensure alignment with company policies on user verification and password strength. They must avoid common passwords and promptly disable accounts of departing staff to reduce system vulnerabilities; create new user accounts near the employee’s start date and implement phishing-resistant MFA, regularly reviewing settings to cover internet-facing protocols; and provide cybersecurity training on recognizing login attempts and managing MFA requests. They also must ensure password policies align with NIST guidelines, using 8-64 nonstandard characters and long passphrases, and disable RC4 for Kerberos authentication.
Apart from applying these mitigations, the agencies prescribe exercising, testing, and validating organization security programs against the threat behaviors mapped to the MITRE ATT&CK for Enterprise framework. They also recommend testing existing security controls inventory to assess their performance against the ATT&CK techniques.
This is not the first time Iranian adversaries have targeted critical infrastructure installations. In August 2024, FBI investigations revealed that cyber actors, such as Pioneer Kitten, are connected to the Government of Iran and associated with an Iranian information technology company. The assessment, conducted in collaboration with the CISA, the FBI, and the Department of Defense Cyber Crime Center, indicates that these hackers are engaged in malicious cyber operations. Their primary aim is to deploy ransomware attacks to gain and expand network access. These operations facilitate collaboration with affiliate cyber actors, enabling the continued deployment of ransomware.