Cyber actors backed by Iran have been attacking critical infrastructure providers in the U.S. and other countries for more than a year, hitting sectors including energy, government and information technology, intelligence agencies from multiple countries said.
The warning about Iranian cyber activities came in an advisory released Oct. 16 by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and endorsed by the FBI, the National Security Agency and their counterparts in Canada and Australia. The agencies described tactics that the Iran-supported actors have used since October 2023, as observed in “FBI engagements with entities impacted by” the attacks.
Several approaches are documented in the report. Attackers gain initial access to target networks through brute force techniques such as password spraying, in which they use the same password against many different user accounts. If the user account has multi-factor authentication enabled, the attacker will bypass the safeguard by “push bombing” the account, hitting the user with multiple MFA notifications until they approve the request by accident or stop notifications.
Once they have entered the network, attackers often register MFA in their names to protect their access. The agencies observed two cases in which intruders took over an account with uncompleted MFA registration and set it to their own devices.
Discovering the attackers’ presence in a compromised system can be difficult because they make use of living off the land techniques to blend in with normal system activities. Cyber experts have seen these techniques used increasingly by actors linked to China — particularly the Volt Typhoon group — to infiltrate U.S. critical infrastructure organizations. (See China Preparing to ‘Wreak Havoc’ on US, Cyber Officials Warn.)
The agencies recommended reviewing authentication logs for multiple failed login attempts to valid accounts. To detect the use of compromised credentials, agencies said entities could look for a single IP address being used for multiple accounts, or cases of “impossible travel” when a single account shows logins from multiple IP addresses with significant geographic distances.
Mitigations include disabling user accounts and system access for departed staff, continuously reviewing MFA settings to ensure all active internet-facing protocols are covered and ensuring password policies align with relevant guidelines from the National Institute of Standards and Technology. The advisory also recommended that software manufacturers incorporate security by design principles to protect against actors using compromised credentials.
CISA and the other agencies said it is likely the Iranian actors’ goal is “to obtain credentials and information … that can then be sold to enable access to cybercriminals.” They did not indicate that they believe these particular attackers aim to disrupt the critical infrastructure providers themselves.
However, Iran has a longstanding place in U.S. security experts’ minds. The country’s history of “aggressive cyber operations” earned it an entry in the Director of National Intelligence’s 2024 Annual Threat Assessment, which noted that “Iran is willing to target countries with stronger cyber capabilities than itself.”
While many of Iran’s cyber operations are aimed at Israel and other rivals in the Middle East, the DNI observed that it has targeted the U.S. in the past. In 2020, cyber actors linked with Iran tried to interfere in the U.S. presidential election by attempting to obtain voter information, sending threatening emails to voters and spreading disinformation. The director said they may attempt to do so again in 2024.
