Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Supply Chain Security Fears Escalate as Iranian APTs Caught Hitting IT Services Sector

Fears of software supply chain attacks escalated again this week with a new warning from Microsoft that it has caught Iranian threat actors breaking into IT services shops in India and Israel and using that access to hit the real targets.

Fears of software supply chain attacks escalated again this week with a new warning from Microsoft that it has caught Iranian threat actors breaking into IT services shops in India and Israel and using that access to hit the real targets.

Two of Redmond’s premier threat hunting units  — the Microsoft Threat Intelligence Center (MSTIC) and Microsoft Digital Security Unit (DSU) — are sounding the alarm for a series of intrusions at companies that sell business management and integration software to millions of global organizations.

Once inside the IT services organizations, Microsoft said the Iranian hackers are “extending their attacks to compromise downstream customers,” much like the SolarWinds supply chain mega-hack that snagged thousands of corporate victims globally.

Microsoft warned of a significant surge in these attacks — more than 1,600 notifications to over 40 IT companies in response to Iranian targeting, compared to 48 notifications in 2020 — and warned that downstream attacks are targeting organizations in the defense, energy, and legal sectors

“As India and other nations rise as major IT services hubs, more nation state actors follow the supply chain to target these providers’ public and private sector customers around the world matching nation state interests,” Microsoft said in a report calling attention to the surge in these Iran-linked attacks.

[ READ: Hacked SolarWinds Software Lacked Basic Anti-Exploit Mitigation ]

In July 2021 this year, Microsoft said it caught a threat actor based in Iran that compromised a single Israel-based IT company that provides business management software.  Microsoft said the hacking group then used access to that IT company to extend their attacks and compromise downstream customers in the defense, energy, and legal sectors in Israel. 

A few months later, Redmond’s threat hunting teams caught  a separate Iranian group hacking into email accounts at a Bahrain-based IT integration company that works on IT integration with Bahrain government clients.

Microsoft surmises that the downstream Bahrain government clients “were likely the ultimate target” and warned that the group has also compromised various accounts at a partially government-owned organization in the Middle East that provide information and communications technology to the defense and transportation sectors.

The hacking group maintained persistence at the Bahrain IT integration organization from September through at least October.

[ READ: Microsoft Exposes Iran-Linked APT Targeting U.S., Israeli Defense ]

Microsoft said credential theft from the original compromises of IT services companies are used in the downstream attacks.  [The Iranian attackers] dumped credentials from the on-premises network of an IT provider based in Israel in early July. Over the next two months, the group compromised at least a dozen other organizations, several of which have strong public relations with the compromised IT company,” Microsoft explained.

The company said at least four of those victims were compromised using the acquired credentials and access from the IT company in the July and August attacks. 

Redmond’s telemetry has picked up a major surge in these and other Iranian groups targeting IT companies based in India beginning in mid-August. From mid-August to late September, Microsoft said it issued 1,788 nation state notifications (NSNs) across Iranian actors to enterprise customers in India, roughly 80% of which were to IT companies.   

Over the three previous years, Microsoft barely issued 10 such notifications in response to Iranian hacking activity and because there are no obvious geo-political reasons for the India targeting, the company believes the Indian IT shops are being used “for indirect access to subsidiaries and clients outside India.”

Related: Microsoft Exposes Iran-Linked APT Targeting U.S., Israeli Defense

Related: Hacked SolarWinds Software Lacked Basic Anti-Exploit Mitigation

Related: Researchers Link Mysterious ‘MeteorExpress’ Wiper to Iranian Train Cyber Attack 

Related: New Code Execution Flaws In Solarwinds Orion Platform

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.