Microsoft is raising the alarm on new Iranian state-sponsored attacks targeting employees at US defense industrial base (DIB) organizations.
The tech giant attributes the attacks to Peach Sandstorm, the name it uses to denominate the activity cluster also tracked as APT33, Elfin, Holmium, Magnallium, and Refined Kitten.
Believed to be active since at least 2013 and to be backed by the Iranian government, APT33 is known for targeting organizations across the government, research, aerospace, energy, finance, telecom, and other sectors in the US, Europe, Asia, and the Middle East.
“Microsoft has observed the Iranian nation-state actor Peach Sandstorm attempting to deliver a newly developed backdoor named FalseFont to individuals working for organizations in the Defense Industrial Base (DIB) sector,” Microsoft noted in a Thursday post on X (formerly Twitter).
The newly identified backdoor provides attackers with remote access to the infected systems, allows them to execute files, and exfiltrate data to the command-and-control (C&C) server. FalseFont, Microsoft says, was first used in attacks in November 2023.
“The development and use of FalseFont is consistent with Peach Sandstorm activity observed by Microsoft over the past year, suggesting that Peach Sandstorm is continuing to improve their tradecraft,” the tech giant notes in a follow-up post.
In September, Microsoft warned of an APT33 campaign targeting thousands of organizations with password spray attacks that, in some cases, resulted in data being exfiltrated from the compromised networks.
In the first phase of the campaign, carried out between February and July 2023, password spraying was used for initial compromise, while the second phase employed exploits targeting known vulnerabilities in Zoho ManageEngine and Confluence.
Organizations are advised to reset passwords for any account targeted in an attack, to revoke session cookies, implement best practices for securing identity infrastructure, practice good credential hygiene, employ multi-factor authentication, transition to passwordless authentication, and secure remote desktop connections.
Related: Iranian Cyber Spies Use ‘LionTail’ Malware in Latest Attacks
Related: Iranian Cyberspies Target US-Based Think Tank With New macOS Malware
Related: Microsoft: Iranian Hackers Moved From Recon to Targeting US Critical Infrastructure
Related: US Cyberwarriors Thwarted 2020 Iran Election Hacking Attempt