An Iranian cyber espionage group successfully compromised dozens of entities and exfiltrated data from a subset of them as part of a campaign targeting organizations in the satellite, defense and pharmaceutical sectors, Microsoft said in a report published Thursday.
The group in question — which Microsoft tracks as Peach Sandstorm but known otherwise as Holmium, APT33 or Elfin — compromised the accounts as part of a high volume of password spray attacks, where attackers try one known password against a list of usernames. The campaign began in February and targeted thousands of organizations, according to Microsoft.
Microsoft did not say where the targeted organizations are based but noted that previous Peach Sandstorm activity occurred during a “rise in tensions between the United States and the Islamic Republic of Iran.” Researchers have linked some of the group’s previous operations to the devastating destructive Shamoon malware attacks that targeted Saudi Aramco, the oil company, in 2012 and other targets in subsequent years.
The news comes on the heels of an incipient deal between the U.S. and Iranian governments that would allow banks to transfer $6 billion in frozen Iranian oil funds and see U.S. authorities release of five Iranian citizens held in the United States in exchange for the release of five American citizens detained in Iran, the Washington Post reported Monday.
The hacking activity disclosed on Monday took place between February and July this year, and Microsoft said that the hackers used the access they gained to maintain persistence on breached systems and carry out other, unspecified activity. Password spray attacks are noisy and easy to detect, but Microsoft researchers said that the activity is concerning because once the hackers gain access, they are in some cases pivoting toward stealthier, more sophisticated methods that represent an increase in capability compared to Peach Sandstorm’s past activity.
Researchers observed two pathways into targeted organizations associated with the campaign. The first, via the password spray route, allowed researchers to learn more about the campaign, showing, for instance, that the activity occurred almost exclusively between 9 a.m. and 5 p.m. Iran Standard Time. The second pathway saw the group attempt to exploit a pair of vulnerabilities from 2022 affecting a subset of on-premises Zoho ManageEngine products and the Confluence Server and Data Center.