Hackers linked to the Iranian government have deployed custom malware to compromise targets in satellite, oil and gas, communications and government sectors in the United States and the United Arab Emirates, according to research published Wednesday by Microsoft.
This is the latest evidence that Iranian aggression in cyberspace continues to grow, coming on the heels of revelations that Iranian hackers have targeted both parties in the 2024 US presidential election.
The group at the center of Wednesday’s report (which Microsoft calls Peach Sandstorm, but is also known by other aliases including APT33 and Refined Kitten) most recently deployed custom backdoor malware called Tickler, which Microsoft observed activity from April through July. The group relies on infrastructure from Microsoft’s own Azure cloud computing platform, using subscriptions that the attackers illegally controlled.
“Based on the group’s victimology and operational focus, Microsoft assesses that Peach Sandstorm operates on behalf of the Iranian Revolutionary Guard Corps (IRGC),” the company said in the report. “Microsoft further assesses that Peach Sandstorm’s operations are designed to facilitate intelligence collection in support of Iranian national interests.”
The Tickler attack follows recent password spraying attacks that attempt to compromise various accounts using common passwords. Peach Sandworm has a history of using this technique to infiltrate targets, with Microsoft seeing similar attacks as recently as April and May. According to Microsoft, the group targeted the defense, space, education and government sectors in the US and Australia.
The attacks appear to have been somewhat successful: “Over the past year, Peach Sandstorm has successfully compromised multiple organizations using custom-made tools, primarily in the sectors mentioned above,” the report said.
While governments and industry are turning more attention to the space sector, some believe other steps should be taken to protect it.
The Iranian government has always denied any ties to foreign hacking activities.
Author: Tim Starks Tim Starks is a senior reporter at CyberScoop. He previously worked at The Washington Post, POLITICO and Congressional Quarterly. A native of Evansville, Indiana, he has been covering cybersecurity since 2003. Email Tim at tim.starks@cyberscoop.com.
Source link