Iranian State Hacker Aggression Escalates, Says MicrosoftSubgroup of Mint Sandstorm Threat Group Is Exploiting Vulnerabilities More Quickly
An Iranian state hacking group shifted from espionage to direct targeting of U.S. critical infrastructure - a likely indicator of newfound aggression by the Iranian national security apparatus, said Microsoft.
The computing giant said a group newly designated as Mint Sandstorm - the company has shifted to a new weather-based taxonomy for threat actors - in late 2021 and mid-2022 targeted seaports, energy companies, transit systems and "a major U.S. utility and gas entity."
The U.S. Department of the Treasury last September sanctioned hackers affiliated with Iran's Islamic Revolutionary Guard Corps - individuals who Microsoft said make up an element of Mint Sandstorm. The group is also known as APT42, Cobalt Illusion and TA453.
Microsoft assesses that Tehran views the attacks a retaliation for a spate of cyberattacks that disrupted maritime traffic, delayed trains and crashed gas station payments. State media accused Israel and the United States of the disruption in domestic fuel distribution.
One sign of the group's increased operational tempo is that a subgroup of Mint Sandstorm is more quickly exploiting recently disclosed vulnerabilities. Microsoft said that until this year, the subgroup, which focuses on espionage but is also responsible for critical infrastructure attacks, often took weeks to weaponize known vulnerabilities. But in January, it turned around a vulnerability in the Zoho ManageEngine in just one day, and in February, it took just five days to exploit a vulnerability in Aspera Faspex.
Since at least last year, the subgroup has used two custom implants with the executable file names "Soldier" and "Drokbk." Both contact Mint Sandstorm-controlled GitHub repositories to reach their command-and-control domains - a technique that allows the threat actors to dynamically update their infrastructure. Of the two, Soldier is the more sophisticated, since it can uninstall itself.
Mint Sandstorm also has a third custom implant dubbed CharmPower that is delivered through spear-phishing campaigns targeting individuals with ties to the security community and affiliated with think tanks or universities in Israel, North America and Europe. The bait is a OneDrive link hosting a PDF that contains a link to a Dropbox account hosting a template file weaponized with macros. The macros allow remote template injection - "a technique that allows operators to obtain and launch a payload from a remote C2, often OneDrive," Microsoft wrote. Attackers like remote template injection for its detection-evading properties.
Microsoft analysis previously correlated growing Iranian aggression in cyberspace with a changeover in Iranian presidential leadership. Hardliner Ebrahim Raisi in August 2021 replaced relatively moderate cleric Hassan Rouhani. "The hawkish views of the Raisi administration appear to have raised the willingness of Iranian actors to take bolder action against Israel and the West, particularly the United States," Microsoft wrote in a 2022 annual threat landscape assessment.