An Iranian state-backed APT group carried out a “wave” of cyber-espionage attacks against thousands of global targets over a six-month period, Microsoft has revealed.
The group known as Peach Sandstorm (aka APT33, Elfin, and Refined Kitten) used password spraying techniques between February and July 2023. This is a brute-force technique where threat actors try to authenticate to multiple accounts with a list of commonly used passwords.
Microsoft claimed that, although these noisy campaigns hit thousands of organizations across several sectors and geographies, subsequent activity was more “stealthy and sophisticated.”
“Many of the cloud-based tactics, techniques, and procedures (TTPs) seen in these most recent campaigns are materially more sophisticated than capabilities used by Peach Sandstorm in the past,” it explained.
“In later stages of known compromises, the threat actor used different combinations from a set of known TTPs to drop additional tools, move laterally, and ultimately exfiltrate data from a target.”
Read more on Iranian threat groups: Iran Spear-Phishers Hijack Email Conversations in New Campaign
The report claimed that a small subset of compromised victims had data taken from their systems. It’s not clear what type of organizations these were, but APT33 has a particular interest in the satellite, defense and pharmaceutical sectors, Microsoft said.
The group used AzureHound and Roadtools to conduct reconnaissance in Microsoft Entra ID (formerly Azure Active Directory) environments and deployed multiple persistence mechanisms including the use of Azure Arc.
This tool allows users “to secure, develop, and operate infrastructure, applications, and Azure services anywhere, to persist in compromised environments,” Microsoft explained.
In some cases, the group eschewed password spraying in favor of vulnerability exploitation: specifically, remote code execution bugs in Zoho (CVE-2022-47966) and Confluence (CVE-2022-26134).
In some intrusions, APT33 deployed commercial remote monitoring and management tool AnyDesk to maintain access to a target.
The end goal was to steal intelligence aligned with Iranian state interests, Microsoft claimed.
“The capabilities observed in this campaign are concerning as Microsoft saw Peach Sandstorm use legitimate credentials (gleaned from password spray attacks) to authenticate to targets’ systems, persist in targets’ environments, and deploy a range of tools to carry out additional activity,” the report concluded.
“Peach Sandstorm also created new Azure subscriptions and leveraged the access these subscriptions provided to conduct additional attacks in other organizations’ environments. While the specific effects in this campaign vary based on the threat actor’s decisions, even initial access could adversely impact the confidentiality of a given environment.”