The Iranian government-backed hacking collective, known as APT 33, has been engaged for over a decade, executing forceful espionage activities across a wide range of targets globally, including crucial infrastructure sectors. The group is famously noted for its basic yet strategic attacks such as “password spraying”, but also ventures into crafting advanced hacking tools, involving destructive malware designed to harm industrial control systems. Recent insights from Microsoft suggest that this group is refining its methods by introducing a new layered backdoor.
Microsoft Threat Intelligence has identified that the group, which it dubs Peach Sandstorm, has invented specialized malware that enables attackers remote entry into compromised networks. This backdoor, named “Tickler” for unspecified reasons, infects a system following initial access gained through password spraying or social engineering tactics. Observations from April to as recent as July by the researchers show Peach Sandstorm deploying this backdoor in industries like satellite, communication equipment, and oil and gas. Microsoft also highlighted that federal and state government bodies in the United States and United Arab Emirates have been targets of this malware deployment.
“Our research on Peach Sandstorm’s employment of Tickler aims to heighten awareness about this threat actor’s refined skills,” Microsoft Threat Intelligence reported on Wednesday. “This aligns with the actor’s sustained intelligence collection goals and marks a new phase in their prolonged cyber activities.”
The study noted Peach Sandstorm employing Tickler and then manipulating victims’ Azure cloud setups through their hacker-owned Azure subscriptions to fully control the victims’ systems. Microsoft has alerted the customers affected by this offensive as identified by the research team.
The group has also continued its low-tech password spraying attacks, according to Microsoft, in which hackers attempt to access many target accounts by guessing leaked or common passwords until one lets them in. Peach Sandstorm has been using this technique to gain access to target systems both to infect them with the Tickler backdoor and for other types of espionage operations. Since February 2023, the researchers say they have observed the hackers “carrying out password spray activity against thousands of organizations.” And in April and May 2024, Microsoft observed Peach Sandstorm using password spraying to target United States and Australian organizations that are in the space, defense, government, and education, sectors.
“Peach Sandstorm also continued conducting password spray attacks against the educational sector for infrastructure procurement and against the satellite, government, and defense sectors as primary targets for intelligence collection,” Microsoft wrote.
The researchers say that, in addition to this activity, the gang has been continuing its social engineering operations on the Microsoft-owned professional social network LinkedIn, which they say date back to at least November 2021 and have continued into mid-2024. Microsoft observed the group setting up LinkedIn profiles that purport to be students, software developers, and talent acquisition managers who are supposedly based in the US and Western Europe.
“Peach Sandstorm primarily used [these accounts] to conduct intelligence gathering and possible social engineering against the higher education, satellite sectors, and related industries,” Microsoft wrote. “The identified LinkedIn accounts were subsequently taken down.”
Iranian hackers have continued to engage assertively in global cyber activities for many years. Recently, evidence emerged showing that another Iranian faction is focusing its cyberattacks on the 2024 US election, targeting various political entities including the Trump and Harris campaigns. Read more about these developments.