Iranian cyber actors pose a significant threat to critical infrastructure worldwide by using advanced techniques to infiltrate essential systems without authorisation. These individuals use methods such as brute force attacks, password spraying, and multi-factor authentication (MFA) push bombing to infiltrate networks across various industries, including government, healthcare, and energy sectors.
Australia’s public sector oversees critical national infrastructure and faces increasing vulnerability to these operations, underscoring the urgent need for enhanced cybersecurity measures at a national level. The Cybersecurity and Infrastructure Security Agency (CISA) recently published a joint advisory that details Iranian actors targeting critical infrastructure sectors, especially government institutions.
The advisory highlights that attackers often aim to steal credentials and exploit system vulnerabilities to gain prolonged access, which they then trade on cybercriminal forums. This situation poses a serious risk, as compromised networks in Australia can act as starting points for further attacks, impacting both local and global targets.alia could become launch pads for further attacks, both locally and internationally.
Cyber risks target public sector
In Australia, Iranian cyber actors pose risks that extend beyond isolated incidents of unauthorised access. Malicious actors increasingly target the public sector, which handles essential services, national security information, and citizen data. Failing to address these vulnerabilities will lead to significant disruptions in public services and compromise sensitive national information. The Australian Cyber Security Centre (ACSC) warns that “attacks on critical infrastructure are part of a coordinated effort to destabilise operational networks, posing a direct risk to Australia’s national security.”
In late 2023, Iranian cyber actors exploited vulnerabilities in public health and government networks by using brute force and MFA push bombing methods. The threat actors circumvented security protocols and gained ongoing access to critical systems through the attacks. Extensive repercussions affected essential services and led to the disclosure of sensitive information.
Evolving cyberattack tactics
Cyber actors based in Iran consistently employ strategies that adapt and evolve. Key methods include:
- Brute force attacks: Iranian cyber actors consistently attempt to guess user credentials by using techniques like password spraying and testing common or weak passwords across various accounts. This approach successfully takes advantage of inadequately managed password protocols, particularly within public-sector systems where user accounts abound.
- MFA push bombing: Iranian cyber actors continuously despatch MFA requests to genuine users, seeking to exhaust them and lead them to inadvertently grant access. Attackers have used this approach, known as “MFA fatigue” or push bombing, to bypass systems that utilise MFA security measures.
- Credential harvesting: After gaining access, attackers exploit network weaknesses to elevate their privileges and gather more credentials, enabling further lateral movement within the breached network. There have been observed instances of using tools like Kerberos enumeration and directory dumps, highlighting the need for stronger internal controls.
The Federal Bureau of Investigation (FBI) and CISA reported that “Iranian cyber actors not only compromise systems but also modify MFA registrations to ensure continued access, often registering their devices to exploit legitimate user accounts.”
Advancing cybersecurity defenses
Australia’s public sector must implement a strong, multi-faceted strategy for cybersecurity to tackle these challenges. The ACSC issued a detailed set of recommendations to safeguard against Iranian cyber threats while working alongside international agencies. Implement the essential measures:
- Enforce strong passphrases: All user accounts must use intricate passphrases, avoiding familiar words and sequences like “Password123!”. Passphrases that range from 8 to 64 characters and include a variety of non-standard characters greatly reduce the chances of a successful brute force attack.
- Implement and monitor MFA appropriately: MFA serves as a strong defence mechanism, but its effectiveness relies on proper configuration. Users must learn how to identify and reject MFA requests that they did not initiate. Systems must identify unusual MFA registrations, especially those from untrusted devices or locations.
- Continuous system monitoring: Monitoring login attempts in real time is essential. Uncommon login behaviors, such as “impossible logins” from different IP addresses or “impossible travel” logins from distant locations, can signal a potential security breach.
- Phishing-resistant MFA: CISA recommends implementing phishing-resistant MFA solutions because they pose greater challenges for attackers to compromise. Hardware tokens and biometric factors provide an additional layer of security beyond conventional MFA.
- Regular Security Testing: Australian public-sector organisations should consistently evaluate their cybersecurity programmes using the MITRE ATT&CK® framework, as encouraged by the ACSC. This guarantees that current security measures can withstand the sophisticated techniques employed by Iranian actors.
Iranian cyber threats target critical infrastructure and pose a significant and immediate risk to Australia’s public sector. These actors continuously refine their techniques, exploiting vulnerabilities in systems through sheer force and manipulation of multi-factor authentication. Establishing strong cybersecurity measures is crucial. Australia’s public sector must prioritise proactive strategies, ongoing surveillance, and thorough system evaluations to protect against advanced threats, following recommendations from the ACSC and global security organisations.