The Communications Security Establishment Canada (CSE) and its Canadian Centre for Cyber Security (Cyber Centre) join the following partners to warn of Iranian cyber actors’ frequent use of brute force to compromise organizations across multiple critical infrastructure sectors.
- Federal Bureau of Investigation (FBI)
- Cybersecurity and Infrastructure Security Agency (CISA)
- National Security Agency (NSA)
- Australian Federal Police (AFP)
- Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC)
Targets include the health care, government, information technology, engineering and energy sectors. Iranian cyber actors likely aim to obtain credentials and information describing the victim’s network that can then be sold to enable access to cyber criminals.
Since October 2023, Iranian actors used brute force, such as password spraying and multi-factor authentication (MFA) push bombing, to compromise user accounts and obtain access to organizations. The actors frequently modified MFA registrations, enabling persistent access. The actors performed discovery on the compromised networks to obtain additional credentials and identify other information that could be used to gain additional points of access.
This joint advisory provides the actors’ tactics, technique and procedures along with indicators of compromise. Critical infrastructure organizations should follow the guidance provided in the advisory. At a minimum, organizations should ensure all accounts use strong passwords and register a second form of authentication.
Read the full joint cyber security advisory Iranian Cyber Actors’ Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations.