The Microsoft Threat Intelligence Center (MSTIC) has presented a report regarding the evolution of Iranian hacking groups in the past year. The report indicates that the groups have become more sophisticated in the use of tools, techniques, and procedures.

What has happened?

From September 2020, the tech giant has been tracking six Iranian hacking groups (DEV-0146, DEV-0227, DEV-0198, DEV-0500, Rubidium, and Phosphorus) spreading ransomware and stealing data. Over time, these groups have evolved into more capable threat actors.
  • The threat groups are performing cyber-espionage, phishing, and password spraying attacks, using multi-platform malware, carrying out supply-chain attacks, and spreading wipers and ransomware.
  • In some of the attacks, DEV-0343 targeted U.S. defense tech firms and carried out massive password-spraying attacks.

Key trends

  • One of the trends observed in the attacks by these groups is a high level of patience and persistence. Such campaigns were linked to Phosphorus, Curium, and a hacking group linked to Hamas.
  • While some groups moved in an orderly manner, using social engineering to obtain access to Office 365 accounts, others opted for aggressive methods such as brute-force attacks.
  • All groups have used ransomware for their goals and deployed in waves, usually six to eight weeks apart.

Additional tricks and attacks

  • This year, the attackers were found scanning for exploitable vulnerabilities in multiple products, such as Exchange Servers vulnerable to ProxyShell and Fortinet FortiOS SSL VPN.
  • By scanning for unpatched Fortinet VPN systems, the attackers had obtained 900 valid credentials in plain text.


Iranian threat groups are becoming more sophisticated and are adapting to their strategic goals and tradecraft lately with increasing resources at their disposal. Moreover, the groups are now more capable than ever before and conducting more destructive operations. Sharing threat intelligence is one of the best ways to stay protected and detect such threats.

Cyware Publisher