Iranian Cyber Actors Target Critical Infrastructure Networks: A Growing Threat
In October 2024, the National Security Agency (NSA), alongside several international cybersecurity bodies, issued a stern warning about a new wave of cyberattacks led by Iranian cyber actors. These malicious campaigns have targeted multiple critical infrastructure sectors, raising concerns about the vulnerabilities faced by essential services worldwide. From healthcare and energy to government networks, the methods used in these attacks are highly sophisticated, employing brute force techniques and exploiting weaknesses in multi-factor authentication (MFA) to compromise security.
An Overview of the Threat
Iranian cyber actors have been leveraging brute force attacks, including password spraying and MFA push bombing, to penetrate critical infrastructure networks since October 2023. These activities, which affect multiple sectors like healthcare, information technology, and government, show a high level of persistence and adaptability. Once they gain access, these attackers perform reconnaissance to gather valuable credentials and sensitive information, which are often sold to other cybercriminal groups, further expanding the scope of potential exploitation.
The techniques used in these operations demonstrate a concerted effort to bypass traditional security measures. The actors aim to obtain valid credentials, escalate their privileges within the networks, and often maintain persistent access through MFA modifications. They also exploit commonly used remote services like Citrix and Microsoft 365, taking advantage of weak or improperly configured security settings in these platforms.
Key Tactics, Techniques, and Procedures (TTPs)
- Brute Force and Credential Theft
Iranian actors use password spraying—a method where attackers attempt to gain unauthorized access to accounts by testing common passwords across many accounts. By targeting organizations with weak password policies or insufficient monitoring, they successfully compromise numerous user accounts. MFA push bombing, also known as MFA fatigue, is another method used by attackers. By continuously sending MFA requests to users, they overwhelm them, hoping the user will approve the request out of frustration or confusion. - Exploitation of MFA Systems
In multiple incidents, Iranian cyber actors exploited weak MFA implementations. After gaining access to accounts, the actors registered their own devices, allowing them to maintain persistence. This method was especially effective when organizations had not fully secured their MFA settings, leaving a window open for attackers to manipulate the system. - Lateral Movement and Privilege Escalation
Once inside a network, Iranian actors employed Remote Desktop Protocol (RDP) for lateral movement, using Microsoft's PowerShell scripting language to launch RDP binaries and move across systems. They exploited a known vulnerability in Microsoft’s Netlogon (CVE-2020-1472) to escalate privileges, potentially allowing them to control the domain controller and further infiltrate the network. - Reconnaissance and Credential Dumping
After gaining entry, these actors often performed reconnaissance using common Windows command-line tools like Nltest and Net group to gather information about domain controllers and administrative groups. They also used Kerberos Service Principal Name (SPN) enumeration techniques to capture Kerberos tickets, furthering their ability to escalate privileges and move laterally within networks.
The Impact on Critical Infrastructure
The targeted attacks on critical infrastructure are particularly alarming due to the sectors affected. Healthcare, energy, and government networks are essential to the functioning of modern society, and a breach in these areas can lead to severe consequences. For instance, the disruption of a healthcare system could delay medical services, impacting patient care. Similarly, energy and utility companies face risks of outages that could disrupt public services or, in extreme cases, cause widespread power failures.
One of the notable aspects of these attacks is the actors’ use of virtual private network (VPN) services to hide their true locations, making it difficult for defenders to track them in real-time. The VPNs used, such as Private Internet Access, further complicate the attribution process and provide an additional layer of anonymity to the attackers.
Detection and Mitigation Strategies
To protect against these evolving threats, the NSA, in collaboration with other cybersecurity agencies, has outlined several mitigation strategies. These include:
- Strengthening MFA: Organizations should ensure that their MFA implementations are phishing-resistant and adequately configured to cover all active, internet-facing protocols. Continuous review of MFA settings can help prevent unauthorized device registration.
- Reviewing Password Policies: Strong password policies that align with the latest NIST Digital Identity Guidelines are crucial. These policies should mandate the use of complex passwords and prevent commonly used passwords from being implemented.
- Monitoring Authentication Logs: Organizations are encouraged to review authentication logs regularly to detect unusual login attempts or multiple failed authentications. Impossible travel detection—monitoring for logins from geographically distant locations within short timeframes—is also a recommended strategy to flag suspicious activity.
- Lateral Movement Detection: Monitoring for RDP connections, especially those initiated through non-standard means like PowerShell, can help organizations detect lateral movement early.
The Global Collaboration
The advisory from the NSA is part of a broader, international response to this growing cyber threat. In addition to the NSA, agencies such as the FBI, CISA (Cybersecurity and Infrastructure Security Agency), the Australian Federal Police, and Canadian cybersecurity bodies are involved in tracking and mitigating these attacks. This international collaboration has proven vital in sharing intelligence, identifying new indicators of compromise (IOCs), and coordinating defensive efforts across borders.
The Path Forward
The battle against state-sponsored cyber threats, like those posed by Iranian actors, is far from over. As these groups continue to adapt their tactics, organizations must remain vigilant, investing in stronger defenses, regular security audits, and up-to-date training for staff. The complexity of modern cyberattacks requires a multi-layered approach to defense, combining technology, policy, and human vigilance to stay ahead of the curve.
Iranian cyber actors have demonstrated their capability to disrupt vital services and steal sensitive information, but with the continued collaboration of international cybersecurity agencies, the ability to detect, deter, and neutralize these threats is improving. By adopting the recommendations provided by the NSA and its partners, critical infrastructure organizations can strengthen their security posture and better protect themselves from these ever-evolving cyber threats.