A recent advisory from the Federal Bureau of Investigation details the cyber activities of Iranian threat actors, and it underscores the urgent need for proactive cybersecurity in Australia’s critical infrastructure sectors, such as energy, healthcare, and transport.
Need to Know: Analysing the Cyber Threat
Iranian cyber actors have been identified using advanced brute force attacks and credential theft to infiltrate nationally significant systems, posing serious risks to Australia’s national security and societal stability. This advisory underscores that reactive measures are no longer enough for critical infrastructure operators. A proactive approach is essential—leveraging threat intelligence to understand adversaries’ methods and collaborating with security operations centres (SOCs) and managed services providers to stay protected.
Key tactics used by Iranian actors include
- Password spraying:Testing commonly used passwords on multiple accounts to gain access.
- MFA Push Bombing: Overwhelming users with repeated authentication requests until access is inadvertently granted.
The ACSC advises adopting a proactive defence strategy with continuous threat monitoring, advanced detection tools, and active intelligence sharing. By staying informed about adversarial techniques, Australian organisations can work with cybersecurity experts to implement strong, preemptive measures. This approach enhances cyber resilience and helps critical sectors protect systems vital to the nation’s economy and security.
The Importance of Threat Intelligence in Operations
Regularly reviewing threat intelligence bulletins, such as this advisory, is imperative for uncovering and mitigating threats before they can disrupt operations. This report spotlights Iranian cyber actors’ use of advanced tactics like password spraying and MFA push bombing to compromise critical infrastructure, a stark reminder that sophisticated attackers are targeting vulnerable systems. Detecting these methods is possible, but only for organisations equipped with advanced monitoring tools to flag irregular login behaviour, MFA inconsistencies, and “impossible logins”—attempts from geographically improbable locations within short periods. By translating these insights into action, security teams can proactively spot and respond to similar network attack patterns. For example, recognising MFA push bombing, where attackers bombard users with repeated authentication requests, allows immediate intervention before an attacker gains access. This proactive stance is essential in today’s high-stakes cybersecurity landscape, where staying one step ahead of adversaries is beneficial and essential for safeguarding critical infrastructure.Understanding Adversary Techniques
Mapping adversary techniques, as outlined in the MITRE ATT&CK framework, is another critical component of the threat intelligence lifecycle. This advisory sheds light on how Iranian actors have used tactics such as Kerberos ticketing, Active Directory enumeration, and VPNs to move laterally across target networks. By understanding these tactics and techniques, critical infrastructure operators can configure detection systems to identify the malicious behaviour these activities produce as they interact with the organisation’s systems.
Detection rules can be tailored to catch abnormal director services queries, such as suspicious PowerShell activity on servers and access to sensitive directories, which are techniques seen in this advisory. This proactive approach enables organisations to block malicious activity before it escalates.
Detection Engineering for Proactive Defence
Detection engineering forms the backbone of a Security Operations Centre (SOC), empowering teams to anticipate and neutralise cyber threats before they disrupt critical infrastructure. This intricate process involves crafting tailored detection protocols aligned with known attack techniques, as recent threat intelligence advisories outlined. For example, the recent Iranian cyber threat scenario demonstrates how adversaries exploit legitimate tools and stolen credentials to remain undetected, underscoring the essential need for finely tuned detection systems in cyber defence strategies. Kinetic IT’s SOC analysts offer bespoke proactive detection strategies for IT and OT environments. These strategies specifically address multi-factor authentication attacks and flag suspicious activity, such as unauthorised MFA attempts or unusual VPN access. By integrating these threat intelligence insights into monitoring rules, your security operations shift from reactive to resilient, making cybersecurity an anticipatory layer of protection. This approach keeps your organisation several steps ahead, transforming cyber defence into a proactive safeguard for critical infrastructure cybersecurity.Transforming Intelligence into Action
Turning threat intelligence into proactive security measures is crucial. Advisories like this Iranian report and annual reports such as the ASD Cyber Threat Report can provide the insights needed to strengthen an organisation’s defences. By enforcing stronger password policies, implementing robust MFA solutions, and fine-tuning logging to detect unusual behaviour, organisations can spot and stop attackers before they gain a foothold in their systems.
With a focus on proactive detection and response, contact Kinetic IT to discuss how we can become your trusted partner in defending your critical systems against these continually evolving cyber threats.
You can also take a look at our vast selection of articles, whitepapers and case studies.
Share