Microsoft has revealed that Iranian government-connected hackers are deploying custom malware to compromise targets operating in the satellite, communications equipment, oil and gas, and government sectors in the US and UAE.
In a statement released on Wednesday (August 28), the tech giant said that the threat actor Peach Sandstorm had deployed a new custom multi-stage backdoor, which the firm dubbed “Tickler.”
Microsoft observed Iranian state-sponsored threat actor Peach Sandstorm deploying a new custom multi-stage backdoor named Tickler in attacks against multiple sectors in the United States and the United Arab Emirates. https://t.co/w6FSOFVkdc
— Microsoft Threat Intelligence (@MsftSecIntel) August 28, 2024
Between April and July 2024, it used Microsoft’s own Azure cloud computing platform to deploy fraudulent, attacker-controlled subscriptions. This included using Microsoft Outlook email accounts and creating Azure for Students subscriptions.
“Microsoft assesses that Peach Sandstorm operates on behalf of the Iranian Islamic Revolutionary Guard Corps (IRGC) based on the group’s victimology and operational focus,” the report stated.
“Microsoft further assesses that Peach Sandstorm’s operations are designed to facilitate intelligence collection in support of Iranian state interests.”
A Microsoft spokesperson told ReadWrite that the latest report, “builds on research shared in September about the Peach Sandstorm’s password-spray espionage campaign – demonstrating a diversification of tactics.”
Password spray attacks
However, since at least February 2023, the company said it found Peach Sandstorm carrying out password spray activity against thousands of organizations. In password spray attacks, threat actors attempt to authenticate to many different accounts using a single password or a list of commonly used passwords.
From April to May this year, hackers reportedly used password spray attacks against organizations in the defense, space, education, and government sectors in the US and Australia.
Microsoft admitted that Peach Sandstorm had “successfully compromised several organizations, primarily in the aforementioned sectors, using bespoke tooling” in the past year.
LinkedIn vulnerabilities
The professional social networking platform LinkedIn, which is owned by Microsoft, was also targeted. From at least November 2021 to mid-2024, hackers reportedly conducted intelligence gathering through the site, researching organizations and individuals employed in the same industries. The company said the identified LinkedIn accounts were subsequently taken down.
In February, Microsoft and OpenAI stated that threat actors from North Korea, China, Iran, and Russia had used ChatGPT to trick users on LinkedIn into providing sensitive information and data.
UPDATED: Microsoft spokesperson’s response to ReadWrite has been added.
Featured image: Ideogram