Iranian hackers known as “Mint Sandstorm” have been refining their tactics and targeting energy and transportation infrastructure in the US, including ports, energy companies and transit systems, Microsoft Threat Intelligence reported on Tuesday.
Mint Sandstorm is the new name used by Microsoft to track the activity of the collection of hacker groups formerly known as Phosphorus, a collection of threat actors assessed to be associated with an intelligence arm of the Iranian Revolutionary Guard Corps (IRGC). The groups included under Mint Sandstorm have also been referred to as APT35, APT42, Charming Kitten, and TA453.
Microsoft’s new report focuses on a specific subgroup of Mint Sandstorm which specializes in hacking into and stealing sensitive information from high-value targets.
According to the report, the group of hackers is “technically and operationally mature” and is capable of developing custom-tailored software to quickly weaponize “N-day vulnerabilities” (vulnerabilities that are already publicly known, but may or may not have been patched).
Iran targeted US as retaliation for cyberattacks on Iranian infrastructure
From 2021 to 2022, the Mint Sandstorm subgroup targeted critical infrastructure in the US, including seaports, energy companies, transit systems, and a major US utility and gas company.
Microsoft Threat Intelligence assessed that the attacks were likely carried out as retaliation against cyberattacks that disrupted maritime traffic, delayed trains and crashed gas station payment systems in Iran in 2020 and 2021.
The attacks also coincided with a broader increase in attacks attributed to Iran-linked hackers that Microsoft observed beginning in September 2021, as well as other moves by the Iranian regime since President Ebrahim Raisi took power. Microsoft noted in a past report that the Raisi administration’s views “appear to have raised the willingness of Iranian actors to take bolder action against Israel and the West, particularly the United States.”
In Microsoft’s Digital Defense Report for 2022, the tech company noted that Mint Sandstorm began scanning US organizations in October 2021 for unpatched Fortinet and ProxyShell vulnerabilities and then used these vulnerabilities to execute ransomware attacks.
This year, Mint Sandstorm began showing a noticeable advancement in its ability to exploit publicly known exploits using “proof-of-concept” code (experimental code used to demonstrate security flaws in software). While in the past, the group was slow to adopt exploits, starting in early 2023, the group became a lot faster at using them, sometimes even adopting exploits within 24 hours after they became public.
Mint Sandstorm additionally continues to use older vulnerabilities, especially Log4Shell.
After exploiting vulnerabilities, the Mint Sandstorm subgroup then deploys custom code to catalog devices using the affected network. After cataloging the devices, the subgroup then takes one of two attack approaches: either attempting to access a database containing the credentials of users in an organization in order to use the stolen credentials to masquerade as legitimate users or create a scheduled task that maintains their ability to access the targeted system and then deploy a custom malware, such as Drokbk or Soldier, on the targeted system.
Microsoft noted that the second approach which uses custom malware signals “an increase in the subgroup’s level of sophistication, as they shift from using publicly available tools and simple scripts to deploying fully custom developed malicious code.”
Iranian hackers using phishing attacks to lure in victims
Mint Sandstorm has also been seen using phishing campaigns in order to lure targets into clicking on links containing malicious files. The emails often claim to contain information on security policies affecting countries in the Middle East and target individuals affiliated with think tanks and universities in Israel, North America or Europe.
Last June, the Israeli cybersecurity firm Check Point reported that Iranian hackers used a phishing attack to target the emails of senior Israeli and American officials and executives, including former foreign minister Tzipi Livni and a former US ambassador to Israel. The source code of the phishing page included a domain that has been used by Mint Sandstorm.
Microsoft Threat Intelligence noted that the phishing tactic is used relatively rarely by the group, with fewer than 10 organizations targeted in this way.
Microsoft stressed that organizations should constantly update and patch their systems and should set up their antivirus software to block executable files from running unless they meet specific criteria and block document editing and reading software from creating executable content.
In September of last year, the US Department of the Treasury sanctioned ten individuals and two entities for their links to Mint Sandstorm.
Also in September, the Mandiant cyber security company reported that APT42, part of the Mint Sandstorm collection of threat actors, is believed to be behind a series of cyberattacks on organizations and individuals opposed to the Iranian government going as far back as 2015.
APT42 uses phishing and social engineering in order to build trust and rapport with victims in order to collect intelligence on them and those close to them and largely focuses on targeting organizations or individuals opposed to the Iranian regime, according to Mandiant.