Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Supply Chain Security Fears Escalate as Iranian APTs Caught Hitting IT Services Sector

Fears of software supply chain attacks escalated again this week with a new warning from Microsoft that it has caught Iranian threat actors breaking into IT services shops in India and Israel and using that access to hit the real targets.

Fears of software supply chain attacks escalated again this week with a new warning from Microsoft that it has caught Iranian threat actors breaking into IT services shops in India and Israel and using that access to hit the real targets.

Two of Redmond’s premier threat hunting units  — the Microsoft Threat Intelligence Center (MSTIC) and Microsoft Digital Security Unit (DSU) — are sounding the alarm for a series of intrusions at companies that sell business management and integration software to millions of global organizations.

Once inside the IT services organizations, Microsoft said the Iranian hackers are “extending their attacks to compromise downstream customers,” much like the SolarWinds supply chain mega-hack that snagged thousands of corporate victims globally.

Microsoft warned of a significant surge in these attacks — more than 1,600 notifications to over 40 IT companies in response to Iranian targeting, compared to 48 notifications in 2020 — and warned that downstream attacks are targeting organizations in the defense, energy, and legal sectors

“As India and other nations rise as major IT services hubs, more nation state actors follow the supply chain to target these providers’ public and private sector customers around the world matching nation state interests,” Microsoft said in a report calling attention to the surge in these Iran-linked attacks.

[ READ: Hacked SolarWinds Software Lacked Basic Anti-Exploit Mitigation ]

In July 2021 this year, Microsoft said it caught a threat actor based in Iran that compromised a single Israel-based IT company that provides business management software.  Microsoft said the hacking group then used access to that IT company to extend their attacks and compromise downstream customers in the defense, energy, and legal sectors in Israel. 

A few months later, Redmond’s threat hunting teams caught  a separate Iranian group hacking into email accounts at a Bahrain-based IT integration company that works on IT integration with Bahrain government clients.

Microsoft surmises that the downstream Bahrain government clients “were likely the ultimate target” and warned that the group has also compromised various accounts at a partially government-owned organization in the Middle East that provide information and communications technology to the defense and transportation sectors.

The hacking group maintained persistence at the Bahrain IT integration organization from September through at least October.

[ READ: Microsoft Exposes Iran-Linked APT Targeting U.S., Israeli Defense ]

Microsoft said credential theft from the original compromises of IT services companies are used in the downstream attacks.  [The Iranian attackers] dumped credentials from the on-premises network of an IT provider based in Israel in early July. Over the next two months, the group compromised at least a dozen other organizations, several of which have strong public relations with the compromised IT company,” Microsoft explained.

The company said at least four of those victims were compromised using the acquired credentials and access from the IT company in the July and August attacks. 

Redmond’s telemetry has picked up a major surge in these and other Iranian groups targeting IT companies based in India beginning in mid-August. From mid-August to late September, Microsoft said it issued 1,788 nation state notifications (NSNs) across Iranian actors to enterprise customers in India, roughly 80% of which were to IT companies.   

Over the three previous years, Microsoft barely issued 10 such notifications in response to Iranian hacking activity and because there are no obvious geo-political reasons for the India targeting, the company believes the Indian IT shops are being used “for indirect access to subsidiaries and clients outside India.”

Related: Microsoft Exposes Iran-Linked APT Targeting U.S., Israeli Defense

Related: Hacked SolarWinds Software Lacked Basic Anti-Exploit Mitigation

Related: Researchers Link Mysterious ‘MeteorExpress’ Wiper to Iranian Train Cyber Attack 

Related: New Code Execution Flaws In Solarwinds Orion Platform

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.