Thought leaders speak out on Microsoft's Iranian hacker news
Cybersecurity thought leaders have spoken out on the latest news from Microsoft about Iranian hackers. Microsoft announced earlier this week that it had seen six different groups in Iran deploying ransomware since last year.
Microsoft said one of the groups spends significant time and energy trying to build rapport with their intended victims before targeting them with spear-phishing campaigns. The group uses fake conference invitations or interview requests and frequently masquerade as officials at think tanks in Washington, D.C., as a cover. "Once rapport is built and a malicious link is sent, the Iranians are extra pushy at trying to get their victims to click on it, said James Elliott, a member of the Microsoft Threat Intelligence Center.
Insights, a Rapid Company
Paul Prudhomme, Head of Threat Intelligence Advisory at Insights, a Rapid 7 Company says: "Disruption and destruction towards governments and critical infrastructure have been a constant feature of state-sponsored Iranian attacks since 2012. Therefore, the news is no surprise.
"Government agencies and defence contractors have long been top targets for state-sponsored Iranian actors, with breaches targeting political and military intelligence and defence intellectual property yielding great results.
"Despite this turn by Iranian hacking groups to ransomware attacks, state-sponsored Iranian attacks are generally less sophisticated than their more advanced and well-resourced counterparts in Russia or China. They often practice weaker operational security that enables security researchers, governments, and victims to detect and attribute their attacks.
"The majority of Iranian-linked actors will still continue to use social engineering attacks, in which they are equally capable, if not more so, than Russia or China. In the report, Microsoft said that Iranian actors would create social media accounts posing as attractive women to build trust with targets over several months and ultimately deliver malicious documents. From our research, they have also often invested considerable effort in developing more elaborate social engineering personas on LinkedIn to persuade potentially suspicious targets to open malicious links or attachments."
Pete Starr, Global Director of Sales Engineering at Cyren adds: "It’s easy for anyone, nation-state or not, to launch a phishing campaign, and it is this type of attack that hackers use most often to gather the necessary information to launch a larger-scale ransomware campaign.
"Phishing kits and phishing as a service are readily available to anyone with some crypto currency and the motivation to spend it. Additionally, nation-state actors are more persistent, continuing to attack their targets with the knowledge they will eventually find a weak link in the victim’s security.
"Microsoft’s warning demonstrates this perseverance. Indeed, I know of a pro-democracy organisation that says malicious traffic towards their network increases everyday around 9am Beijing time, and a major technology company that fended off nation-state network attacks for nine months before an employee got duped by a phishing email. So long as they are successful, hackers will continue to adapt according to strategic goals, becoming more proficient in a myriad of attacks - be it social engineering, cyber espionage, phishing, and password spraying attacks, employing mobile malware, and even carrying out supply chain attacks.
"So, while this warning from Microsoft is interesting, it is not surprising given how phishing attacks are continuously used by threat actors to reap rewards. To combat these threats proactively it is important that people remain vigilant and implement a layered security strategy. For instance, we know the best way to defend against phishing is improved detection provided by email hygiene (e.g. Microsoft ATP or a legacy security email gateway), inbox security, and security awareness training combined with automated incident response. Moreover, Office 365 users need to be extra vigilant as the cloud nature of the service means that the attack surface is huge compared to traditional email systems. Organisations need to ensure they are deploying measures such as multi-factor authentication and anomaly detection to help counter the threat of account take over attacks.”