Microsoft has discovered that an Iranian hacking group known as ‘Mint Sandstorm’ is conducting cyberattacks on US critical infrastructure in what is believed to be retaliation for recent attacks on Iran’s infrastructure.
Mint Sandstorm is the new name for the Phosphorous hacking group, believed to work for the Iranian government and linked to the Islamic Revolutionary Guard Corps (IRGC).
In a new report, researchers in Microsoft’s Threat Intelligence team explain that a subgroup of Mint Sandstorm switched from performing surveillance in 2022 to performing direct attacks on US critical infrastructure.
The theory is that these intrusions are in retaliation for attacks on Iran’s infrastructure that the country attributed to the US and Israel. These include destructive attacks on Iran’s railway system in June 2021 and a cyberattack causing an outage at Iranian gas stations in October 2021.
Microsoft believes the Iranian government is now allowing state-sponsored threat actors more freedom when conducting attacks, leading to an overall increase in cyberattacks.
“This targeting also coincided with a broader increase in the pace and the scope of cyberattacks attributed to Iranian threat actors, including another Mint Sandstorm subgroup, that Microsoft observed beginning in September 2021,” Microsoft warns in today’s report on Mint Sandstorm.
“The increased aggression of Iranian threat actors appeared to correlate with other moves by the Iranian regime under a new national security apparatus, suggesting such groups are less bounded in their operations.”
Last year, the Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned ten individuals and two entities affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC), whose activities overlap with those attributed to Phosphorus.
Deploying custom malware
Microsoft says that this new subgroup of Mint Sandstorm commonly uses proof-of-concept exploits as they become public, as the company observed an attack using a Zoho ManageEngine PoC the same day it was released.
In addition to N-day exploits, which is code for leveraging known vulnerabilities, the threat actors also used older vulnerabilities, such as Log4Shell, to breach unpatched devices.
Once they gain access to a network, the threat actors launch a custom PowerShell script to collect information on the environment to determine if it is high-value.
The hackers then use the Impacket framework to spread laterally on the network while conducting one of two attack chains.
The first attack chain leads to the theft of the target’s Windows Active Directory database, which can be used to obtain users’ credentials that can help hackers further the intrusion or evade detection on the network.
The second attack chain is to deploy custom backdoor malware called Drokbk and Soldier; both are used to maintain persistence on compromised networks and deploy additional payloads.
Microsoft says Drokbk (Drokbk.exe) [VirusTotal] is a .NET application that consists of an installer and a backdoor payload that retrieves a list of command and control server addresses from a README file on an attacker-controlled GitHub repository.
The Soldier malware is also a .NET backdoor that can download and run additional payloads and uninstall itself. Like Drokbk, it retrieves a list of command and control servers from a GitHub repository.
In addition to utilizing exploits to breach networks, Microsoft says the attackers conducted low-volume phishing attacks against a small number of targeted victims.
These phishing attacks included links to OneDrive accounts hosting PDFs spoofed to contain information about the security or policy in the Middle East. These PDFs also include links for a malicious Word template that used template injection to execute a payload on the device.
These phishing attacks were used to deploy the CharmPower PowerShell post-exploitation framework for persistence and executing further commands.
“Capabilities observed in intrusions attributed to this Mint Sandstorm subgroup are concerning as they allow operators to conceal C2 communication, persist in a compromised system, and deploy a range of post-compromise tools with varying capabilities,” warns Microsoft.
“While effects vary depending on the operators’ post-intrusion activities, even initial access can enable unauthorized access and facilitate further behaviors that may adversely impact the confidentiality, integrity, and availability of an environment.”
Microsoft recommends using attack surface reduction rules to block executables that do not meet specific criteria:
- Block executable files from running unless they meet a prevalence, age, or trusted list criterion
- Block Office applications from creating executable content
- Block process creations originating from PSExec and WMI commands
As the threat actors heavily rely on vulnerabilities for initial access to corporate networks, Microsoft recommends that organizations apply security updates as soon as possible.
Particular attention should be paid to patching IBM Aspera Faspex, Zoho ManageEngine, and Apache Log4j2, as they are known targets for the threat actors.