Fears of software supply chain attacks escalated again this week with a new warning from Microsoft that it has caught Iranian threat actors breaking into IT services shops in India and Israel and using that access to hit the real targets.
Two of Redmond’s premier threat hunting units — the Microsoft Threat Intelligence Center (MSTIC) and Microsoft Digital Security Unit (DSU) — are sounding the alarm for a series of intrusions at companies that sell business management and integration software to millions of global organizations.
Once inside the IT services organizations, Microsoft said the Iranian hackers are “extending their attacks to compromise downstream customers,” much like the SolarWinds supply chain mega-hack that snagged thousands of corporate victims globally.
Microsoft warned of a significant surge in these attacks — more than 1,600 notifications to over 40 IT companies in response to Iranian targeting, compared to 48 notifications in 2020 — and warned that downstream attacks are targeting organizations in the defense, energy, and legal sectors
“As India and other nations rise as major IT services hubs, more nation state actors follow the supply chain to target these providers’ public and private sector customers around the world matching nation state interests,” Microsoft said in a report calling attention to the surge in these Iran-linked attacks.
In July 2021 this year, Microsoft said it caught a threat actor based in Iran that compromised a single Israel-based IT company that provides business management software. Microsoft said the hacking group then used access to that IT company to extend their attacks and compromise downstream customers in the defense, energy, and legal sectors in Israel.
A few months later, Redmond’s threat hunting teams caught a separate Iranian group hacking into email accounts at a Bahrain-based IT integration company that works on IT integration with Bahrain government clients.
Microsoft surmises that the downstream Bahrain government clients “were likely the ultimate target” and warned that the group has also compromised various accounts at a partially government-owned organization in the Middle East that provide information and communications technology to the defense and transportation sectors.
The hacking group maintained persistence at the Bahrain IT integration organization from September through at least October.
Microsoft said credential theft from the original compromises of IT services companies are used in the downstream attacks. [The Iranian attackers] dumped credentials from the on-premises network of an IT provider based in Israel in early July. Over the next two months, the group compromised at least a dozen other organizations, several of which have strong public relations with the compromised IT company,” Microsoft explained.
The company said at least four of those victims were compromised using the acquired credentials and access from the IT company in the July and August attacks.
Redmond’s telemetry has picked up a major surge in these and other Iranian groups targeting IT companies based in India beginning in mid-August. From mid-August to late September, Microsoft said it issued 1,788 nation state notifications (NSNs) across Iranian actors to enterprise customers in India, roughly 80% of which were to IT companies.
Over the three previous years, Microsoft barely issued 10 such notifications in response to Iranian hacking activity and because there are no obvious geo-political reasons for the India targeting, the company believes the Indian IT shops are being used “for indirect access to subsidiaries and clients outside India.”