Connect with us

Hi, what are you looking for?



Iranian Hackers Targeting US Defense Industrial Base Entities With New Backdoor

Microsoft has observed Iranian state-sponsored hackers targeting employees at US DIB entities with the FalseFont backdoor.

Microsoft is raising the alarm on new Iranian state-sponsored attacks targeting employees at US defense industrial base (DIB) organizations.

The tech giant attributes the attacks to Peach Sandstorm, the name it uses to denominate the activity cluster also tracked as APT33, Elfin, Holmium, Magnallium, and Refined Kitten.

Believed to be active since at least 2013 and to be backed by the Iranian government, APT33 is known for targeting organizations across the government, research, aerospace, energy, finance, telecom, and other sectors in the US, Europe, Asia, and the Middle East.

“Microsoft has observed the Iranian nation-state actor Peach Sandstorm attempting to deliver a newly developed backdoor named FalseFont to individuals working for organizations in the Defense Industrial Base (DIB) sector,” Microsoft noted in a Thursday post on X (formerly Twitter).

The newly identified backdoor provides attackers with remote access to the infected systems, allows them to execute files, and exfiltrate data to the command-and-control (C&C) server. FalseFont, Microsoft says, was first used in attacks in November 2023.

“The development and use of FalseFont is consistent with Peach Sandstorm activity observed by Microsoft over the past year, suggesting that Peach Sandstorm is continuing to improve their tradecraft,” the tech giant notes in a follow-up post.

In September, Microsoft warned of an APT33 campaign targeting thousands of organizations with password spray attacks that, in some cases, resulted in data being exfiltrated from the compromised networks.

In the first phase of the campaign, carried out between February and July 2023, password spraying was used for initial compromise, while the second phase employed exploits targeting known vulnerabilities in Zoho ManageEngine and Confluence.

Advertisement. Scroll to continue reading.

Organizations are advised to reset passwords for any account targeted in an attack, to revoke session cookies, implement best practices for securing identity infrastructure, practice good credential hygiene, employ multi-factor authentication, transition to passwordless authentication, and secure remote desktop connections.

Related: Iranian Cyber Spies Use ‘LionTail’ Malware in Latest Attacks

Related: Iranian Cyberspies Target US-Based Think Tank With New macOS Malware

Related: Microsoft: Iranian Hackers Moved From Recon to Targeting US Critical Infrastructure

Related: US Cyberwarriors Thwarted 2020 Iran Election Hacking Attempt

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.


On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet