{ "id": "5a703b99-6217-4375-990b-255e191abd63", "created_at": "2026-04-06T00:10:56.091589Z", "updated_at": "2026-04-10T03:33:23.728728Z", "deleted_at": null, "sha1_hash": "9ab5844e4abb19dc61f5ab34284015f9b62e5f04", "title": "Iranian targeting of IT sector on the rise | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 333941, "plain_text": "Iranian targeting of IT sector on the rise | Microsoft Security Blog\r\nBy Microsoft Digital Security Unit (DSU), Microsoft Threat Intelligence\r\nPublished: 2021-11-18 · Archived: 2026-04-05 18:45:48 UTC\r\nIranian threat actors are increasing attacks against IT services companies as a way to access their customers’\r\nnetworks. This activity is notable because targeting third parties has the potential to exploit more sensitive\r\norganizations by taking advantage of trust and access in a supply chain. Microsoft has observed multiple Iranian\r\nthreat actors targeting the IT services sector in attacks that aim to steal sign-in credentials belonging to\r\ndownstream customer networks to enable further attacks. The Microsoft Threat Intelligence Center (MSTIC) and\r\nDigital Security Unit (DSU) assess this is part of a broader espionage objective to compromise organizations of\r\ninterest to the Iranian regime.\r\nUntil July 2021, Microsoft had observed relatively little history of Iranian actors attacking Indian targets. As India\r\nand other nations rise as major IT services hubs, more nation state actors follow the supply chain to target these\r\nproviders’ public and private sector customers around the world matching nation state interests.\r\nTo date this year, Microsoft has issued more than 1,600 notifications to over 40 IT companies in response to\r\nIranian targeting, compared to 48 notifications in 2020, making this a significant increase from years past (Figure\r\n1). The focus of several Iranian threat groups on the IT sector particularly spiked in the last six months – roughly\r\n10-13% of our notifications were related to Iranian threat activity in the last six months, compared to two and a\r\nhalf percent in the six months prior (Figure 2). Most of the targeting is focused on IT services companies based in\r\nIndia, as well as several companies based in Israel and United Arab Emirates. Although different in technique\r\nfrom other recent supply chain attacks, these attacks represent another example of how nation state actors are\r\nincreasingly targeting supply chains as indirect vectors to achieve their objectives.\r\nFigure 1: Number of notifications sent to IT Services related to Iran-based actor targeting\r\nhttps://www.microsoft.com/security/blog/2021/11/18/iranian-targeting-of-it-sector-on-the-rise/\r\nPage 1 of 6\n\nFigure 2: Percentage of notifications per quarter sent to IT Services NSNs related to Iran-based activity\r\nAs with any observed nation state actor activity, Microsoft has directly notified customers that have been targeted\r\nor compromised, providing them with the information they need to secure their accounts. Microsoft uses DEV-\r\n#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity,\r\nallowing MSTIC to track it as a unique set of information until we reach a high confidence about the origin or\r\nidentity of the actor behind the activity. Once it meets the criteria, a DEV is converted to a named actor.\r\nObserved activity\r\nIn July 2021, a group that MSTIC tracks as DEV-0228 and assesses as based in Iran compromised a single Israel-based IT company that provides business management software. Based on MSTIC’s assessment, DEV-0228 used\r\naccess to that IT company to extend their attacks and compromise downstream customers in the defense, energy,\r\nand legal sectors in Israel. In September, we detected a separate Iranian group, DEV-0056, compromising email\r\naccounts at a Bahrain-based IT integration company that works on IT integration with Bahrain Government\r\nclients, who were likely DEV-0056’s ultimate target. DEV-0056 also compromised various accounts at a partially\r\ngovernment-owned organization in the Middle East that provide information and communications technology to\r\nthe defense and transportation sectors, which are targets of interest to the Iranian regime. DEV-0056 maintained\r\npersistence at the IT integration organization through at least October.\r\nMSTIC detected a significant increase in these and other Iranian groups targeting IT companies based in India\r\nbeginning in mid-August. From mid-August to late September, we issued 1,788 nation state notifications (NSNs)\r\nacross Iranian actors to enterprise customers in India, roughly 80% of which were to IT companies, an exponential\r\nrise from the 10 notifications we issued the previous three years in response to previous Iranian targeting. Iranian\r\ncyber actors have rarely targeted India, and the lack of pressing geopolitical issues that would have prompted such\r\na shift suggests that this targeting is for indirect access to subsidiaries and clients outside India.\r\nCredential theft leads to downstream compromise\r\nhttps://www.microsoft.com/security/blog/2021/11/18/iranian-targeting-of-it-sector-on-the-rise/\r\nPage 2 of 6\n\nDEV-0228 dumped credentials from the on-premises network of an IT provider based in Israel in early July. Over\r\nthe next two months, the group compromised at least a dozen other organizations, several of which have strong\r\npublic relations with the compromised IT company. MSTIC assesses at least four (4) of those victims were\r\ncompromised using the acquired credentials and access from the IT company in the July and August attacks. Here\r\nare two such examples:\r\nDEV-0228 operators compromised the on-premises network of a law firm in Israel in August through an\r\naccount managed by the IT provider via PAExec (a custom version of the Windows Sysinternals tool\r\nPsExec).\r\nPa.exe \\\\###.##.#.## -u {user name}\\{domain name} -p \"********\" -s cmd.exe\r\nDEV-0228 operators also compromised a defense company in Israel by signing into an email account\r\nprovisioned for the same IT provider on the victim’s Office 365 tenant. The attackers likely obtained those\r\ncredentials from the initial compromise of the IT provider in July.\r\nCustom implant to establish persistence\r\nDEV-0228 operators used a custom implant to establish persistence on victim hosts and then dumped LSASS. The\r\nimplant is a custom remote access Trojan (RAT) that uses Dropbox as a command and control (C2) channel and is\r\ndisguised as RuntimeBroker.exe or svchost.exe.\r\nOperators staged their tools in a C:\\Windows\\TAPI directory on the victim hosts:\r\nC:\\Windows\\TAPI\\lsa.exe\r\nC:\\Windows\\TAPI\\pa.exe\r\nC:\\Windows\\TAPI\\pc.exe (procdump)\r\nC:\\Windows\\TAPI\\Rar.exe\r\nMicrosoft will continue to monitor DEV-0228 and DEV-0056 activity and implement protections for our\r\ncustomers. The current detections, advanced detections, and IOCs in place across our security products are\r\ndetailed below.\r\nIndicators of compromise (IOCs)\r\nType Indicator\r\nsvchost.exe 2a1044e9e6e87a032f80c6d9ea6ae61bbbb053c0a21b186ecb3b812b49eb03b7\r\nsvchost.exe 9ab7e99ed84f94a7b6409b87e56dc6e1143b05034a5e4455e8c555dbbcd0d2dd\r\nlsa.exe 43109fbe8b752f7a9076eaafa417d9ae5c6e827cd5374b866672263fdebd5ec3\r\nwdmsvc.exe 18a072ccfab239e140d8f682e2874e8ff19d94311fc8bb9564043d3e0deda54b\r\nPa.exe\r\n(PAExec.exe)\r\nab50d8d707b97712178a92bbac74ccc2a5699eb41c17aa77f713ff3e568dcedb\r\nhttps://www.microsoft.com/security/blog/2021/11/18/iranian-targeting-of-it-sector-on-the-rise/\r\nPage 3 of 6\n\nRecommended defenses\r\nThe following guidance can mitigate the techniques described in the threat activity:\r\nEnable multi-factor authentication to mitigate compromised credentials.\r\nFor Office 365 users, see multi-factor authentication support.\r\nFor Consumer and Personal email accounts, see how to use two-step verification.\r\nUse passwordless solutions like Microsoft Authenticator to secure accounts.\r\nReview and enforce recommended Exchange Online access policies.\r\nBlock ActiveSync clients from bypassing Conditional Access policies.\r\nBlock all incoming traffic from anonymizing services where possible.\r\nTurn on the following attack surface reduction rule to block or audit activity associated with this threat:\r\nBlock credential stealing from the Windows local security authority subsystem (lsass.exe)\r\nDetections\r\nMicrosoft 365 Defender\r\nAntivirus\r\nMicrosoft Defender Antivirus detects threat components as the following malware:\r\nBackdoor:MSIL/ShellClient.A\r\nBackdoor:MSIL/ShellClient.A!dll\r\nTrojan:MSIL/Mimikatz.BA!MTB\r\nEndpoint detection and response (EDR)\r\nAlerts with the following titles in the security center can indicate threat activity on the network:\r\nDEV-0228 actor activity\r\nDEV-0056 actor activity\r\nThe following alerts might indicate threat activity associated with this threat. These alerts, however, can be\r\ntriggered by unrelated threat activity, but they are listed here for reference:\r\nSuspicious connection to remote service\r\nPossible command-and-control activity\r\nSuspicious access to LSASS service\r\nSensitive credential memory read\r\nhttps://www.microsoft.com/security/blog/2021/11/18/iranian-targeting-of-it-sector-on-the-rise/\r\nPage 4 of 6\n\nFigure 3: Microsoft 365 Defender alert showing credential dumping activity\r\nMicrosoft 365 Defender correlates related alerts into consolidated incidents to help customers determine with\r\nconfidence if observed alerts are related to this activity. Customers using the Microsoft 365 Defender portal can\r\nview, investigate, and respond to incidents that include any detections related to the activity described in this blog.\r\nAdvanced hunting queries\r\nMicrosoft Sentinel\r\nThe indicators of compromise (IoCs) included in this blog post can be used by Microsoft Sentinel customers for\r\ndetection purposes using the queries detailed below.\r\nCommand Line Activity November 2021\r\nThis hunting query looks for process command line activity related to observed activity. The query uses additional\r\ndata from Microsoft Defender for Endpoint to generate a risk score associated with each result. Hosts with higher\r\nrisk events should be investigated first.\r\nhttps://github.com/azure/azure-sentinel/blob/master/Hunting%20Queries/MultipleDataSources/Dev-0056CommandLineActivityNovember2021.yaml\r\nFilePath/Hashes query November 2021\r\nThis hunting query looks for file paths/hashes related to observed activity as detailed in this blog.\r\nhttps://github.com/Azure/Azure-Sentinel/tree/master/Detections/MultipleDataSources/Dev-0228FilePathHashesNovember2021.yaml\r\nhttps://www.microsoft.com/security/blog/2021/11/18/iranian-targeting-of-it-sector-on-the-rise/\r\nPage 5 of 6\n\nIn addition to these queries, there are equivalent queries that use the Advanced SIEM Information Model (ASIM)\r\nto look for the same activity.\r\nhttps://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries/ASimProcess/imProcess_Dev-0056CommandLineActivityNovember2021-ASIM.yaml\r\nhttps://github.com/Azure/Azure-Sentinel/tree/master/Detections/ASimFileEvent/imFileEvent_Dev-0228FilePathHashesNovember2021-ASIM.yaml\r\nMicrosoft 365 Defender\r\nTo locate malicious activity related to the activity described in this blog, customers can run the following queries\r\nin Microsoft 365 Defender or Microsoft Defender for Endpoint.\r\nIdentify use of PAExec in your environment\r\nLook for PAExec.exe process executions in your environment. Run query.\r\nDeviceProcessEvents\r\n|whereFileName=~\"paexec.exe\"orProcessVersionInfoOriginalFileName=~\"paexec.exe\"\r\n|wherenot(ProcessCommandLinehas_any(\"programfiles\",\"-service\"))\r\nIdentify files created in the Windows\\Tapi directory\r\nLook for files created in the Windows\\Tapi directory. Run query.\r\nDeviceFileEvents\r\n|whereFolderPathhas@\"C:\\Windows\\TAPI\"\r\nSuspicious PowerShell commands\r\nLook for suspicious PowerShell process execution. Run query.\r\nDeviceProcessEvents\r\n| where ProcessCommandLine has_any(\"/q /c color f7\u0026\", \"Net.We$()bClient\", \"$b,15,$b.Length-15\") or\r\n(ProcessCommandLine has \"FromBase64String\" and ProcessCommandLine has_all(\"-nop\", \"iex\", \"(iex\"))\r\nSource: https://www.microsoft.com/security/blog/2021/11/18/iranian-targeting-of-it-sector-on-the-rise/\r\nhttps://www.microsoft.com/security/blog/2021/11/18/iranian-targeting-of-it-sector-on-the-rise/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.microsoft.com/security/blog/2021/11/18/iranian-targeting-of-it-sector-on-the-rise/" ], "report_names": [ "iranian-targeting-of-it-sector-on-the-rise" ], "threat_actors": [ { "id": "cd118f78-11b5-4b51-ad97-2f7562905bdb", "created_at": "2024-02-02T02:00:04.021391Z", "updated_at": "2026-04-10T02:00:03.525833Z", "deleted_at": null, "main_name": "Cuboid Sandstorm", "aliases": [ "DEV-0228" ], "source_name": "MISPGALAXY:Cuboid Sandstorm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "786139da-4139-49d0-9685-e249c5f89f25", "created_at": "2024-12-30T02:01:48.731055Z", "updated_at": "2026-04-10T02:00:04.763086Z", "deleted_at": null, "main_name": "TA455", "aliases": [ "Bohrium", "DEV-0056", "Operation Iranian Dream Job", "Smoke Sandstorm", "TA455", "UNC1549", "Yellow Dev 13" ], "source_name": "ETDA:TA455", "tools": [ "LIGHTRAIL", "MINIBIKE", "SlugResin", "SnailResin" ], "source_id": "ETDA", "reports": null }, { "id": "591ffe81-e46b-4e3d-90c1-9bf42abeeb47", "created_at": "2025-08-07T02:03:24.726943Z", "updated_at": "2026-04-10T02:00:03.805423Z", "deleted_at": null, "main_name": "COBALT FIRESIDE", "aliases": [ "CURIUM ", "Crimson Sandstorm ", "Cuboid Sandstorm ", "DEV-0228 ", "HIVE0095 ", "Imperial Kitten ", "TA456 ", "Tortoiseshell ", "UNC3890 ", "Yellow Liderc " ], "source_name": "Secureworks:COBALT FIRESIDE", "tools": [ "FireBAK", "LEMPO", "LiderBird" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434256, "ts_updated_at": 1775792003, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9ab5844e4abb19dc61f5ab34284015f9b62e5f04.pdf", "text": "https://archive.orkl.eu/9ab5844e4abb19dc61f5ab34284015f9b62e5f04.txt", "img": "https://archive.orkl.eu/9ab5844e4abb19dc61f5ab34284015f9b62e5f04.jpg" } }