An official website of the United States government
Here's how you know
A .gov website belongs to an official government organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Press Release | Oct. 16, 2024

Iranian Cyber Actors Access Critical Infrastructure Networks

FORT MEADE, Md. – The National Security Agency (NSA) is joining the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and others in releasing a Cybersecurity Advisory (CSA), “Iranian Cyber Actors’ Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations,” to warn network defenders of malicious activity that can enable persistent access in sensitive systems.

Since October 2023, Iranian cyber actors have used a technique known as brute force to compromise user accounts and obtain access to organizations to modify MFA registrations, enabling persistent access. 

“Our agencies are sharing detailed insight into this malicious cyber activity and what organizations can do to shore up their defenses,” said Dave Luber, NSA Cybersecurity Director. “We explain the tactics, techniques, and procedures used by the Iranian actors, as well as indicators of compromise.”  

Once they have access, the Iranian actors obtain additional credentials and sell the information to users on cybercriminal forums who conduct further malicious activities. The Iranian actors have targeted multiple critical infrastructure sectors, including healthcare, government, information technology, engineering, and energy.  
 
To detect brute force activity such as password spraying, the report’s authors recommend reviewing authentication logs for system and application login failures of valid accounts and looking for multiple, failed authentication attempts across all the accounts.  To mitigate against this activity, the CSA recommends measures such as implementing phishing-resistant multi factor authentication (MFA), continuously reviewing MFA settings, providing cybersecurity training to users, and ensuring password policies meet minimum password strength guidelines.

The other authoring agencies are the Communications Security Establishment Canada (CSE), the Australian Federal Police (AFP), and the Australian Signals Directorate Australian Cyber Security Centre (ASD ACSC).

Read the full report here.
 
Visit our full library for more cybersecurity information and technical guidance.
 

NSA Media Relations
MediaRelations@nsa.gov
443-634-0721

 

Related Documents

CSA: Iranian Cyber Actors’ Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations
Critical Infrastructure Password Spraying iran multifactor authentication mfa cybersecurity advisory Cybersecurity Guidance
Hosted by Defense Media Activity - WEB.mil Veterans Crisis Line