Joint cyber security advisory: Iranian cyber actors using brute force to compromise critical infrastructure organizations

The Communications Security Establishment Canada (CSE) and its Canadian Centre for Cyber Security Cyber securityThe protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability. (Cyber Centre) join the following partners to warn of Iranian cyber actors’ frequent use of brute force to compromise CompromiseThe intentional or unintentional disclosure of information, which adversely impacts its confidentiality, integrity, or availability. organizations across multiple critical infrastructure Critical infrastructureProcesses, systems, facilities, technologies, networks, assets, and services essential to the health, safety, security, or economic well-being of Canadians and the effective functioning of government. Critical infrastructure can be stand-alone or interconnected and interdependent within and across provinces, territories, and national borders. Disruptions of critical infrastructure could result in catastrophic loss of life, adverse economic effects, and significant harm to public confidence. sectors.

• Federal Bureau of Investigation (FBI)
• Cybersecurity and Infrastructure Security Agency (CISA)
• National Security Agency (NSA)
• Australian Federal Police (AFP)
• Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC)

Targets include the health care, government, information technology, engineering and energy sectors. Iranian cyber actors likely aim to obtain credentials and information describing the victim’s network that can then be sold to enable access to cyber criminals.

Since October 2023, Iranian actors used brute force, such as password spraying and multi-factor authentication Multi-factor authenticationA tactic that can add an additional layer of security to your devices and account. Multi-factor authentication requires additional verification (like a PIN or fingerprint) to access your devices or accounts. Two-factor authentication is a type of multi-factor authentication. (MFA) push bombing, to compromise user accounts and obtain access to organizations. The actors frequently modified MFA registrations, enabling persistent access. The actors performed discovery on the compromised networks to obtain additional credentials and identify other information that could be used to gain additional points of access.

This joint advisory provides the actors’ tactics, technique and procedures along with indicators of compromise. Critical infrastructure organizations should follow the guidance provided in the advisory. At a minimum, organizations should ensure all accounts use strong passwords and register a second form of authentication AuthenticationA process or measure used to verify a users identity. .

Read the full joint cyber security advisory Iranian Cyber Actors’ Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations.