The goal of this presentation is to provide the audience with a deeper understanding of Iranian computer network attack operations with a particular emphasis on how these operations have evolved over the past year. This presentation will be based on telemetry gathered from Microsoft security products and incidents that Microsoft responded to over the past year.
This presentation will cover the following major points of evolution:
The increased use of ransomware by Iranian operators
Over the past year, Microsoft has observed multiple Iranian actors use ransomware in multiple incidents. These actors have employed a variety of approaches on different targets. In total, these attacks possibly signal that Iran has adopted the use of ransomware as a tool to execute destructive attacks in a deniable way.
The shift in targeting focus to Israel
Over the past year, Microsoft observed multiple Iranian actors turn their attention to targets in Israel. For example, DEV-0133 (aka Lyceum) previously focused their attention on targets in Africa, but throughout 2021 this actor executed multiple campaigns on several different Israeli targets. This shift in targeting seen across multiple Iranian actors suggests that Iran is hesitant to directly provoke the United States and prefers to escalate its ‘cold war’ with Israel.
The adoption and evolution of ‘brute force’ attacks
Throughout 2021 Iranian actors have continued to heavily rely on ‘brute force attacks’. This style of attack includes indiscriminate exploitation of internet facing appliances (e.g. CVE-2021-13379 and CVE-2021-34473). Examples of these tactics will include aggressive scanning operations employed by DEV-0270, an actor closely related to PHOSPHORUS, and DEV-0343 an actor that aggressively targets O365 tenants via password spray attacks. The continued use of this style of attack suggests that Iranian actors find value in ‘indiscriminate’ exploitation and is still able to achieve its political objectives via this approach.