Hackers linked to the Iranian government have targeted thousands of organizations in the satellite, defense and pharmaceutical industries as part of an espionage campaign, new research shows. The hacker group behind the attack was tracked by Microsoft as Peach Sandstorm, a group that successfully hacked into a number of targeted organizations and stole their data. Microsoft did not disclose which countries were targeted.
Recent Iran-related attacks have focused on Israel, the United States, Brazil and the United Arab Emirates. In a new campaign that ran from February to July, Peach Sandstorm used a combination of publicly available and customized tools to disrupt its targets and gather intelligence "in support of Iran's national interests", Microsoft said.
In order to break into a victim's account, Peach Sandstorm used a technique known as "password injection," where they attempted to gain unauthorized access to a target device using a single password or a list of commonly used passwords. While it sounds simple, this technique allows attackers to increase their chances of success and reduce the risk of triggering an automated account lockout.Peach Sandstorm (previously tracked as Holmium) has also used password injection in previous attacks, including against industries such as aerospace, defense, chemicals, and mining.
When the organization manages to attack a target, its attacks become more sophisticated. For example, Microsoft has noticed hackers using the company's AzureHound and Roadtools tools to gather information from a victim's system, access data in the target's cloud environment, and transfer specific data of interest to a single database.
The hacking organization installed the Azure Arc client on a compromised device and linked it to their own Azure subscription, enabling them to take control of the targeted device in the hacked cloud infrastructure. They also attempted to exploit well-known vulnerabilities, such as those in Zoho ManageEngine, used for IT service management, and Confluence, a team collaboration tool.Additionally, AnyDesk, a commercial remote monitoring and management tool, was used to maintain access to the target.
Researchers have also discovered a new backdoor tool suspected to have been used by Iranian hackers to attack targets in Brazil, Israel and the United Arab Emirates. According to cybersecurity firm ESET, the hacker group, known as Ballistic Bobcat or Charming Kitten, deployed the tool between March 2021 and June 2022, targeting at least 34 victims, most of them in Israel.
A recent Microsoft report says Iranian state-sponsored hackers are increasingly using influence operations to extend the impact of traditional cyberattacks and to push Tehran's political agenda in Israel and the United States.
As Peach Sandstorm increasingly develops and uses new features, organizations must develop appropriate defenses to strengthen their attack surface and increase the cost of these attacks.