In a joint advisory issued on October 16, 2024, cybersecurity and intelligence agencies from the U.S., Canada, Australia, and allied partners warn of a sustained campaign by Iranian nation-state threat actors.
Since October 2023, these actors have infiltrated critical infrastructure sectors, using brute force attacks, password spraying, and MFA fatigue to gain access to organizations in healthcare, government, information technology, engineering, and energy sectors.
These threat actors have a dual motive: persistent access and selling compromised credentials on cybercriminal forums, creating further risks of ransomware and secondary breaches.
Executive Summary
Since October 2023, Iranian nation-state threat actors have intensified their focus on critical infrastructure sectors including healthcare, government, energy, and information technology, using a range of sophisticated tactics.
Disruptions in these fields can cascade into broader societal impacts. The persistent nature of these attacks – marked by brute force entry, lateral movement, and encrypted command-and-control (C2) channels – reveals the attackers’ intent to maintain long-term control and monetize compromised assets.
The convergence of geopolitical interests with criminal markets, such as the sale of credentials on underground forums, adds complexity, requiring organizations to adopt more intelligence-driven defense strategies.
Stakeholders must move from reactive responses to proactive, continuous threat exposure management (CTEM), integrating threat intelligence into daily operations and enhancing visibility into user behavior, network traffic, and authentication anomalies.
Tactics, Techniques, and Procedures (TTPs) of Iranian Threat Actors
Iranian nation-state threat actors leverage a range of sophisticated tactics, techniques, and procedures (TTPs) to compromise critical infrastructure. These TTPs reflect a deliberate approach to infiltrate systems, escalate privileges, and move laterally within networks, often bypassing security controls through advanced methods.
Here is an overview of their most prominent techniques and what a typical attack may look like:
1. Initial Access
The attackers begin with password spraying or brute force attacks to gain access to cloud platforms like Microsoft 365, Azure, or Citrix. They take advantage of poor password hygiene on these platforms, repeatedly attempting common or default passwords until they successfully compromise an account.
In an ideal scenario (for them), MFA isn’t enabled and they compromise the account. If MFA is enabled, the attackers resort to MFA fatigue or push bombing techniques, bombarding the user with repeated authentication requests until they approve one out of frustration or mistake. This allows the attackers to bypass the additional security layer and gain unauthorized access to the account.
2. Credential Access
Once inside, their next objective is to extract additional credentials to expand their control. One of the most effective techniques they use is Kerberoasting, which targets the Kerberos authentication protocol used in many enterprise environments. Kerberoasting works in three steps:
- The attackers query the Active Directory to identify accounts linked to services (SPNs), which often have elevated privileges, such as domain administrator access.
- Once they identify these accounts, the attackers request Kerberos service tickets, which contain encrypted password hashes for the service account.
- The attackers extract the encrypted tickets and attempt to crack the hashes offline using brute force or password-cracking tools. This method avoids triggering security alarms, as the cracking happens outside the targeted network.
Other techniques have also been used for credential access. These include:
- Password dumping, where attackers use tools to extract stored credentials from compromised machines, including cached passwords or password vaults.
- PowerShell credential harvesting, in which attackers run PowerShell commands to dump Active Directory accounts and credentials.
- AS-REP roasting, a technique that targets Kerberos accounts without pre-authentication.
3. Persistence and Privilege Escalation
To establish persistence and escalate privileges within a compromised network, Iranian actors typically exploit known vulnerabilities, such as Zerologon (CVE-2020-1472). This vulnerability allows attackers to impersonate a domain controller, providing them administrative access by exploiting flaws in Microsoft’s Netlogon Remote Protocol. Despite a patch being released in 2020, it remains an effective tool for attackers targeting organizations with unpatched systems
With these administrative privileges, attackers can manipulate authentication processes. In some cases, they’ve registered their own devices with compromised MFA systems, ensuring long-term access without detection.
4. Lateral Movement
Iranian threat actors leverage lateral movement to navigate within compromised networks. One of their key techniques involves the Remote Desktop Protocol (RDP), which enables remote control of networked machines.
To initiate RDP sessions, attackers often employ “living off the land” tactics—using legitimate tools already present in the environment to avoid detection. For instance, they might embed PowerShell commands within benign-looking documents to launch RDP sessions stealthily.
Once inside the network, attackers perform reconnaissance to identify high-value systems and escalate their access. They may also use tools such as mstsc.exe (Microsoft Terminal Services Client) through PowerShell to maintain persistence without raising alarms.
Their goal is to seamlessly move between systems, reaching sensitive or critical infrastructure, like energy grids or healthcare management systems, to either disrupt services or exfiltrate valuable data.
5. Exfiltration and Command & Control
Iranian threat actors prioritize stealthy exfiltration of sensitive data, often leveraging encrypted channels and advanced tools like Cobalt Strike for command-and-control (C2) operations. Originally designed for ethical penetration testing, Cobalt has become a favorite among hackers for its ability to establish persistent connections and evade detection through encrypted communication. Attack techniques used with Cobalt can be seen here.
Exfiltrated data may include organizational secrets, login credentials, or network blueprints, all of which can be sold to cybercriminals on underground forums or used for follow-up attacks.
The attackers also employ DNS-based exfiltration methods, disguising data transfers within standard DNS queries to evade detection. This “living-off-the-land” approach allows attackers to exploit legitimate tools and protocols without raising immediate red flags, making it difficult for security systems to differentiate malicious activity from normal network behavior.
Indicators of Compromise (IoCs)
Iranian actors have utilized various Indicators of Compromise (IoCs), including malicious IP addresses and suspicious devices, to infiltrate critical infrastructure.
The hashes of malicious files associated with Iranian threat actor activity include:
- 1F96D15B26416B2C7043EE7172357AF3AFBB002A
- 3D3CDF7CFC881678FEBCAFB26AE423FE5AA4EFEC
Additionally, the following three devices were seen registered with MFA systems:
- Samsung Galaxy A71 (SM-A715F)
- Samsung SM-G998B
- Samsung SM-M205F
For a full, updated list of IoCs, including the IPs associated with malicious behavior, refer to CISA’s official advisory.
Mitigations for Defenders
Improving password complexity should be a top priority for defenders, as weak passwords are the most common entry point in these campaigns. Here are some best practices according to the latest NIST guidelines:
- Longer Passphrases: NIST recommends passwords of at least 15 characters for better security.
- Simplified Rules: Passwords no longer need a mix of special characters, numbers, and upper/lowercase letters.
- No Mandatory Changes: Periodic password changes are only advised if a compromise is detected.
- User-Friendly Flexibility: Passwords can include ASCII and Unicode characters and support up to 64 characters.
Security teams must also proactively monitor their networks for Indicators of Compromise (IoCs) outlined in the joint advisory. Effective IoC monitoring helps identify malicious activities early, allowing defenders to respond swiftly and minimize potential damage.
Recommendations for IoC Monitoring
To enhance detection capabilities, organizations should focus on the following:
- Unusual login behavior: Monitor for brute force attempts and rapid sequences of failed logins, which may indicate password spraying attacks.
- MFA activity monitoring: Detect unexpected device registrations or frequent MFA setting changes, which could signal MFA fatigue or unauthorized access.
- Suspicious use of administrative tools: Track the use of privileged tools like PowerShell and RDP, especially when used in abnormal contexts.
Organizations can integrate these IoCs into security monitoring solutions such as SIEM platforms (e.g., Splunk or IBM QRadar) to correlate suspicious events across systems. Real-time alerts allow for swift action, ensuring threat actors are identified and contained before they escalate their activities.
Counteracting MFA Fatigue Attacks
Given the increased use of MFA fatigue methods—where attackers bombard users with repeated push notifications to gain accidental approval—security teams must emphasize phishing-resistant MFA strategies.
See the infographic below for best practices in phishing-resistant MFA:
For a complete list of mitigation strategies specifically tailored to counter the tactics used by Iranian nation-state threat actors, refer to the joint advisory.
Suspecting a Breach? Contact OP Innovate
At OP Innovate, we combine deep technical expertise with innovative strategies to ensure our clients are protected from even the most sophisticated threats. Our incident response service helps organizations quickly contain the threat and identify the root cause, whether it’s a ransomware attack, business email compromise, or a web application breach.
Leveraging tools like our ANT rapid response system, we ensure a fast, efficient response, while our experts—ranging from incident response managers to threat hunters and negotiators—work together to resolve incidents and minimize damage.
With over 10,000 hours of incident response under our belt, we’ve handled a wide variety of cyber incidents, delivering peace of mind to our clients every step of the way.
