Microsoft Threat Intelligence revealed on Tuesday that Iranian hackers, collectively dubbed “Mint Sandstorm,” have been honing their skills to target US energy and transportation infrastructure.
This group, previously known as Phosphorus, is believed to be associated with the Iranian Revolutionary Guard Corps (IRGC) intelligence arm. Mint Sandstorm encompasses multiple hackers, including “APT35,” “APT42,” “Charming Kitten,” and “TA453.”
The report states that this subgroup of hackers is “technically and operationally mature” with the ability to develop custom software designed to weaponize “N-day vulnerabilities.” These vulnerabilities are publicly known but may not have been addressed with patches. Between 2021 and 2022, the subgroup targeted critical US infrastructure such as seaports, energy companies, transit systems, and a major utility and gas company. The attacks appear to be retaliation for cyberattacks against Iran’s maritime traffic, train delays, and gas station payment system crashes that occurred in 2020 and 2021.
Microsoft’s Digital Defense Report for 2022 also observed a broader increase in attacks by Iran-linked hackers since President Ebrahim Raisi took office in September 2021. The Raisi administration’s views seem to have emboldened Iranian actors to take more aggressive action against Israel and the West, particularly the United States. In October 2021, Mint Sandstorm began scanning US organizations for unpatched Fortinet and ProxyShell vulnerabilities, later using these vulnerabilities to launch ransomware attacks.
Mint Sandstorm demonstrated significant improvement in its ability to exploit publicly known vulnerabilities using “proof-of-concept” code, an experimental code that highlights security flaws in software. Previously slow to adopt exploits, by early 2023, the group had become much faster, sometimes incorporating them within 24 hours of public release. Additionally, the group has been observed using phishing campaigns to entice targets into clicking malicious links. These emails often contain information about security policies impacting Middle Eastern countries and target individuals affiliated with think tanks and universities in Israel, North America, or Europe.
Microsoft emphasizes the importance of organizations continually updating and patching their systems to maintain security. Antivirus software should be configured to block executable files from running unless they meet specific criteria and prevent document editing and reading software from creating executable content.
This news comes shortly after the US Department of the Treasury sanctioned ten individuals and two entities linked to Mint Sandstorm last year. Additionally, cybersecurity firm Mandiant reported that APT42, part of the Mint Sandstorm threat actor collection, has likely been responsible for a series of cyberattacks on organizations and individuals opposing the Iranian government since 2015.