Iranian Attacks on Industrial Control Systems

New details:

At the CyberwarCon conference in Arlington, Virginia, on Thursday, Microsoft security researcher Ned Moran plans to present new findings from the company’s threat intelligence group that show a shift in the activity of the Iranian hacker group APT33, also known by the names Holmium, Refined Kitten, or Elfin. Microsoft has watched the group carry out so-called password-spraying attacks over the past year that try just a few common passwords across user accounts at tens of thousands of organizations. That’s generally considered a crude and indiscriminate form of hacking. But over the last two months, Microsoft says APT33 has significantly narrowed its password spraying to around 2,000 organizations per month, while increasing the number of accounts targeted at each of those organizations almost tenfold on average.


The hackers’ motivation—and which industrial control systems they’ve actually breached—remains unclear. Moran speculates that the group is seeking to gain a foothold to carry out cyberattacks with physically disruptive effects. “They’re going after these producers and manufacturers of control systems, but I don’t think they’re the end targets,” says Moran. “They’re trying to find the downstream customer, to find out how they work and who uses them. They’re looking to inflict some pain on someone’s critical infrastructure that makes use of these control systems.”

It’s unclear whether the attackers are causing any actual damage, or just gaining access for some future use.

Posted on December 17, 2019 at 6:05 AM14 Comments


Jenny December 17, 2019 6:46 AM

So if accurate and not simply a piece of propaganda, it would seem they’re doing nothing more than what Israel and US did with Stuxnet. Sure is hard to get outraged over that if you’ve been paying attention.

“The hackers’ motivation — and which industrial control systems they’ve actually breached — remains unclear.” Would seem to point to this being propaganda as even a child could come up with a likely reason why Iran would want to explore this and many a child would be able to see it’s probably justified.

As always the best way to improve security, whether technological or national, is to improve people’s lives, not bully them. What a radical concept.

keiner December 17, 2019 10:36 AM

… which the other way arround means, if you want to radicalize people(s) simply make there life miserable.

And now have a look at the last decade, or two.

Ross Snider December 17, 2019 10:52 AM

My guess would be collected access as leverage in strategic competition. There will (likely) be a new administration in 2020 with new policies (less hawkish?) toward Iran. Credible leverage goes a long way toward evening the diplomacy, and statea financially suffocated by the US (like Iran) find the asymmetric nature of cyber warfare a great investment – particularly when other aspects of conventional deterrence (nuclear in this case) are dominating aspects of the international conversation and deployed military context.

Of course it could be for industrial intelligence or an aspect of another multiprong policy effort.

Impossibly Stupid December 17, 2019 11:07 AM

The real story here is that apparently Microsoft has 2000 clients who have been paying them for security services only to see a 10x increase in attacks. That’s a seriously incompetent “threat intelligence group” you have there.


As always the best way to improve security, whether technological or national, is to improve people’s lives, not bully them. What a radical concept.

So radical, I guess, that the Middle East has had thousands of years to get it right, yet continue to “bully” their own people in some rather horrific ways (especially women). Nobody should be pretending to be in a position of moral superiority here. As a practical matter, Iranians have more productive actions they could take than attacking foreign organizations.

MarkH December 17, 2019 11:52 AM


I don’t know how to compare Stuxnet vs. what Iran is reported to be doing.

To my mind, the attacks have important differences.

Stuxnet was reportedly caused physical destruction; Iran seems (at this time) to be probing and gathering data in a non-destructive cyberattack.

Stuxnet was (reportedly) very sharply focused on the sabotage of uranium enrichment centrifuges, whereas the reported Iranian activities appear to be very broad in scope.

The obvious intention of Stuxnet was to delay Iran’s attainment of the capacity to assemble nuclear bombs. It seems very likely to me, that Iran’s project is to prepare a retaliatory capacity as deterrence against attack on Iran or its interests.

Clive Robinson December 17, 2019 2:10 PM

@ Jenny,

So if accurate and not simply a piece of propaganda, it would seem they’re doing nothing more than what Israel and US did with Stuxnet.

Yup probably so.

However, if you remember whilst Israel might have wanted to hit Iran, the US target was actually North Korea…

Which means if the similarities hold that their target may not be who it appears to be.

As for if Iran is going after ICS organisations, it may not even be for the purposes of attack, but industrial espionage to get access to technology the US is illegaly blocking them access to (yes the US embargo is illegal under International law and it’s only by threatening other nations with the usuall “bomb them back to the stonages” threats it’s making it work).

However with regards Iran attacking Saudi, perhaps people are forgeting who started attacking who and why. The US Government via the State Dept has a lot to answer for with regards to that.

But then we come to the messenger,

Microsoft security researcher Ned Moran, and what he has been saying. As he admits most of it is based on a gut fealing… Yup not the best inteligence source there is especially if others use it as an excuse to go kinetic and commit a primary and thus illegal act of war under agreed international law.

But what of the messengers employer? Microsoft has been way to close and cosy with US IC for quite a long time now, as we now know. Thus we can assume that Ned Moran’s employer is happy for him to spew his gut fealings in public. Which almost certainly means he is “on message” with Microsoft’s corporate view point and thus probably very much in line with US Government Executive etc actual policy, rather than it’s public nonsense.

So it could be said that a certain old saw attributed to Upton Sinclair[1] applies to Ned’s guts,

    “It is difficult to get a man to understand something, when his salary depends on his not understanding it.”

Thus my fealing is that various people are singing from the same hymn sheat over this anouncment that comes at a politically oportune time for the US executive. After all as UK Priminister Maggie Thatcher proved back when Ronnie “Ray gun” Reagan was US President, there is nothing like winning a good war to make you popular come election time.

I’m just waiting for the story to surface that North Korea and even China are involved to stir it up even further. So flags can be waved, drums can be banged, war hawks take to the air, and the rattling of sabers cease as they are drawn and waved in the air…

[1] Upton Sinclair also had one or to other choice quotes that would be applicable but we can save those for another day 😉

SpaceLifeForm December 17, 2019 3:43 PM

@ Clive

Yep. If was a legit attack that would worry IC, they would not be talking about it.

Phaete December 17, 2019 6:00 PM

Sounds like they got a new office manager with fresh ideas.
Or their list of companies for the fast spray and pray was at an end.

SpaceLifeForm December 18, 2019 4:22 PM

@ Petre Peter, ALL

‘Same old hoodie with laptop picture.’

Speaking of hoodie and laptop…

In 4 days, you may find the 2 hour final of Mr. Robot interesting.

Clive Robinson December 18, 2019 4:54 PM

@ dbCooper,

As regards Upton Sinclair, this may pave the was for a sequel to “The Jungle”.

That sort of destroying security measures designed for the safety of hundreds of millions of people is scary. Especially for those of us who will be hit by the recent political change. Those pushing this through the executive, are also demanding “open access” to another 50-70million people as part of any trade negotiations…

Not good, not good at all.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.