Have you ever wondered how hackers operate to target large-scale organizations? March witnessed a series of sophisticated attacks targeting Microsoft 365 accounts in the Middle East. Discover the behind-the-scenes of this cyber operation that shook Israel and the United Arab Emirates.
The 3 key facts not to miss
- More than 300 Israeli organizations and about twenty in the United Arab Emirates were targeted by hackers in March.
- The attacks coincided with Iranian missile strikes, primarily targeting municipalities.
- The hackers used a “password spraying” technique to access Microsoft 365 accounts.
Attacks in the Middle East: a well-oiled strategy
In March, more than 300 organizations in Israel and about twenty in the United Arab Emirates were targeted by a hacking campaign. The attacks mainly targeted municipalities, suggesting a link with the Iranian missile strikes of the same period. The hackers used a “password spraying” method, a technique that involves simultaneously testing hundreds of accounts with common passwords to avoid automatic blocking.
The stages of the attack on Microsoft 365 accounts
The hackers’ plan unfolded in three distinct phases. First, a massive scan was conducted from Tor exit nodes, using a user agent masquerading as Internet Explorer 10. Once valid credentials were found, connections were made via VPN IP addresses geolocated in Israel, with services like Windscribe or NordVPN, allowing them to bypass Microsoft 365’s geographical restrictions. Finally, the hackers accessed the mailboxes and the data they contained.
The targets and motivations behind the attacks
Check Point Research noticed a correlation between the cities targeted by the attacks and those hit by Iranian missile strikes in March. Municipalities, often on the front line to coordinate relief and assess damage after a bombing, represented prime targets. Access to their messaging systems would allow hackers to assess the effectiveness of the strikes, a technique called “Bombing Damage Assessment.” Other sectors, such as technology companies, transportation and logistics, as well as health and industry, were also affected, albeit to a lesser extent.
Gray Sandstorm and the suspicions around the attackers
A lead points to Gray Sandstorm, a group linked to the Islamic Revolutionary Guard Corps. However, Check Point describes this attribution as “moderate confidence,” leaving the door open to the involvement of other actors. The tools and infrastructure used in the attack, such as Tor and VPNs, are accessible to various groups, making definitive attribution difficult.
Protecting technology companies against “password spraying”
As “password spraying” attacks continue to pose challenges to companies, it becomes essential to strengthen security measures. The adoption of multi-factor authentication and the implementation of strong password policies are trends to watch to counter these persistent threats. Raising employee awareness of the importance of digital security can also play a crucial role in protecting sensitive data.