Microsoft Exposes Iran-linked APT Targeting U.S., Israeli Defense Tech Sectors
Threat hunters at Microsoft are raising the alarm about a new Iran-linked threat actor caught using password-spraying techniques to break into defense technology companies in the United States, Israel and parts of the Middle East.
The Redmond, Wash. software giant on Monday shared technical details on UNC-0343, an Iran-linked apex actor that has been actively attempting to break into Office 365 accounts since at least July 2021.
“[We have] observed DEV-0343 conducting extensive password spraying against more than 250 Office 365 tenants, with a focus on U.S. and Israeli defense technology companies, Persian Gulf ports of entry, or global maritime transportation companies with business presence in the Middle East,” Redmond said in a report.
Microsoft confirmed that “less than 20” of the targeted Office 365 tenants were successfully compromised in this campaign. No other details were provided on identity or geographic location of the compromised organizations.
The U.S. government considers nation-state actors from Iran alongside China, Russia and North Korea in the “Big Four” of adversaries and the latest Redmond warning confirms private sector warnings about an increase in APT activity with ties to the Islamic Republic.
Microsoft said DEV-0343 has been observed targeting defense companies that support United States, European Union, and Israeli government partners producing military-grade radars, drone technology, satellite systems, and emergency response communication systems.
“Further activity has targeted customers in geographic information systems (GIS), spatial analytics, regional ports of entry in the Persian Gulf, and several maritime and cargo transportation companies with a business focus in the Middle East,” Microsoft noted.
Microsoft’s explanation of the password-spraying technique being used:
DEV-0343 conducts extensive password sprays emulating a Firefox browser and using IPs hosted on a Tor proxy network. They are most active between Sunday and Thursday between 7:30 AM and 8:30 PM Iran Time (04:00:00 and 17:00:00 UTC) with significant drop-offs in activity before 7:30 AM and after 8:30 PM Iran Time. They typically target dozens to hundreds of accounts within an organization, depending on the size, and enumerate each account from dozens to thousands of times. On average, between 150 and 1,000+ unique Tor proxy IP addresses are used in attacks against each organization.
DEV-0343 operators typically target two Exchange endpoints – Autodiscover and ActiveSync – as a feature of the enumeration/password spray tool they use. This allows DEV-0343 to validate active accounts and passwords, and further refine their password spray activity.
Microsoft recommends that Office 365 administrators immediately enable and deploy MFA (multifactor authentication) technology and block all incoming traffic from anonymizing service where possible.