E-mail
 Print
Technology Blog »

Iranian Cyber Actors Targeting Critical US Infrastructure


Iranian Cyber Actors Targeting Critical US Infrastructure
by Rich Delaney, CSO

A joint Cybersecurity advisory from the FBI, CISA, NSA, and other international agencies has identified that Iranian cyber actors are actively targeting critical infrastructure organizations using brute force and credential-based attacks. These techniques are being employed across several sectors, including healthcare, government, information technology, and energy.

Technical Details:

  • Brute Force Attacks: Attackers are employing password spraying techniques to target weak and commonly used passwords, attempting to systematically compromise accounts across multiple systems.

  • MFA Push Bombing: Cyber actors are exploiting users’ fatigue by sending continuous MFA push requests to the victim’s mobile device until the user inadvertently accepts the request, granting unauthorized access.

  • Credential Persistence: Once access is gained, attackers frequently modify MFA registrations and register their own devices, ensuring ongoing access to the compromised accounts. This persistence allows them to maintain control even if the victim attempts to re-secure their account.

  • VPN and RDP Exploitation: Attackers are leveraging virtual private networks (VPN) and Remote Desktop Protocol (RDP) to move laterally within networks after gaining access. PowerShell commands have also been used to further infiltrate systems and execute remote sessions.

  • Kerberos Ticket Forging: Attackers are performing enumeration to steal or forge Kerberos tickets, allowing them to gain higher-level privileges within the network, which can lead to further compromise.

Indicators of Compromise (IOCs):

  • Malicious IP Addresses: Several IP addresses have been identified as being connected to these activities. It’s important to review network logs for signs of these addresses. Some examples include:
    • 95.181.234.12 (January 2024)
    • 173.239.232.20 (December 2023)
    • 46.246.8.138 (January 2024)
    • Additional IP information available upon request.

Recommended Mitigations:

  1. Enforce Strong Password Policies: Ensure all accounts use strong, unique passwords that are difficult to guess. Avoid commonly used passwords like “Password123” or seasonal variations like “Spring2024.”

  2. Implement Phishing-Resistant MFA: Switch to MFA methods that are resistant to push bombing, such as hardware tokens or biometric authentication, to provide stronger security beyond simple mobile push notifications.

  3. Monitor for Suspicious Login Activity: Look for unusual login attempts, such as those from geographically distant locations in short timeframes or logins from devices that are not typically used by the account owner.

  4. Disable Inactive Accounts: Ensure that user accounts for former employees are promptly disabled to prevent exploitation of dormant accounts by attackers.

  5. Limit Privilege Escalation: Regularly review and secure your Active Directory and Kerberos configurations to reduce the risk of attackers escalating their privileges within your network.

Next Steps:

We strongly recommend that all organizations take immediate action to strengthen their security posture in light of these evolving threats. As your trusted IT and cybersecurity partner, we can help with:

  • Security Assessments: We offer comprehensive security reviews to identify vulnerabilities in your systems, such as weak passwords, MFA gaps, and privilege escalation risks. Our experts can provide tailored recommendations to secure your infrastructure.

  • MFA Implementation: If you’re not already using multifactor authentication or need to upgrade to phishing-resistant MFA, we can assist with setting up and managing these systems to protect your accounts from unauthorized access.

  • Advanced Threat Detection: We can implement and monitor solutions that detect unusual login activity, suspicious IP addresses, and attempts to exploit your network. Our team will alert you to any potential breaches and respond immediately to contain the threat.

  • Account Management and Access Controls: Ensuring that inactive accounts are disabled promptly and enforcing least-privilege access policies are key security measures. We can help you set up automated processes to manage accounts and privileges securely.

  • 24/7 Monitoring and Support: Our team provides around-the-clock monitoring to identify threats before they become incidents. If an attack occurs, we are ready to act swiftly to minimize any potential damage.

Don’t wait until it’s too late—contact us today to schedule a consultation or security audit. We’ll ensure your systems are protected against the latest cyber threats and help you stay ahead of attackers.


Organizations should immediately review their security settings, update any weak points, and implement the suggested mitigations. For further assistance or to schedule a security audit, don't hesitate to contact our cybersecurity team.

Call Now!
Contact Us