Iranian Cyber Actors’ Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations

This joint advisory from U.S. and allied agencies warns that Iranian cyber actors have used brute-force techniques (password spraying), MFA push-bombing, MFA registration manipulation, Kerberoasting, RDP lateral movement, and LOTL tools to gain persistent access to Microsoft 365/Azure/Citrix and other environments across multiple critical infrastructure sectors; it includes MITRE ATT&CK mappings, IOCs (file hashes, numerous IP addresses, device models), detection guidance, and recommended mitigations such as phishing-resistant MFA and stronger password policies.