A previously unknown attack group likely tied to the Iranian government has been running an extensive password-spraying campaign against enterprise Office 365 implementations, targeting companies in the defense industry in the United States and Israel, as well as some transportation companies in the Persian Gulf.
Microsoft identified the group, which it calls DEV-0343, in July and researchers said the O365 campaign targeted more than 250 tenants, fewer than 20 of which were actually compromised. The campaign uses a large set of IP addresses on the Tor network and the attackers typically emulate the Mozilla Firefox browser to conduct the password-spraying operation. Among the companies targeted in the campaign are companies that specifically work on producing military radar systems, drones, satellite systems, and emergency response systems.
“Further activity has targeted customers in geographic information systems (GIS), spatial analytics, regional ports of entry in the Persian Gulf, and several maritime and cargo transportation companies with a business focus in the Middle East,” Microsoft researchers said in an analysis of the campaign.
The group is a newer one, hence the DEV, or developing, designation from Microsoft, and the researchers have not conclusively identified it. But the targeting and behavioral patterns led the researchers to conclude that the group is operating in the interests of the Iranian government.
“This activity likely supports the national interests of the Islamic Republic of Iran based on pattern-of-life analysis, extensive crossover in geographic and sectoral targeting with Iranian actors, and alignment of techniques and targets with another actor originating in Iran,” the researchers said.
“Microsoft assesses this targeting supports Iranian government tracking of adversary security services and maritime shipping in the Middle East."
“Microsoft assesses this targeting supports Iranian government tracking of adversary security services and maritime shipping in the Middle East to enhance their contingency plans. Gaining access to commercial satellite imagery and proprietary shipping plans and logs could help Iran compensate for its developing satellite program. Given Iran’s past cyber and military attacks against shipping and maritime targets, Microsoft believes this activity increases the risk to companies in these sectors, and we encourage our customers in these industries and geographic regions to review the information shared in this blog to defend themselves from this threat.”
As part of the attack campaign, the DEV-0343 actors target dozens or hundreds of O365 accounts in a given organization, and usually go after the Autodiscover and ActiveSync endpoints. The attack activity typically peaks between 04:00 and 11:00 UTC, MIcrosoft said, and O365 accounts that have multi-factor authentication enabled were not compromised in the password-spraying attacks.