cyberscoop.com Open in urlscan Pro
13.224.103.129  Public Scan

Form analysis
1 forms found in the DOM

GET https://cyberscoop.com/

<form role="search" id="searchform" class="site-search" method="get" action="https://cyberscoop.com/">
  <meta itemprop="target" content="https://cyberscoop.com/?s={s}">
  <label class="screen-reader-text" for="search-field"> Search for: </label>
  <input class="site-search__input js-site-search-input" itemprop="query-input" type="text" id="search-field" value="" placeholder="Search news, people, podcasts, videos" name="s">
  <button class="site-search__button">
    <svg class="icon icon--search" width="19" height="19" fill="none" viewBox="0 0 19 19" xmlns="http://www.w3.org/2000/svg">
      <path
        d="M7.9.7a6.805 6.805 0 0 0-6.8 6.8c0 3.752 3.048 6.8 6.8 6.8a6.757 6.757 0 0 0 3.975-1.288l5.262 5.25 1.125-1.125-5.2-5.212A6.77 6.77 0 0 0 14.7 7.5c0-3.752-3.048-6.8-6.8-6.8Zm0 .8c3.319 0 6 2.681 6 6s-2.681 6-6 6-6-2.681-6-6 2.681-6 6-6Z"
        fill="currentColor" stroke="currentColor"></path>
    </svg>
    <span class="visually-hidden">Search</span>
  </button>
</form>

Text Content

Skip to main content
Advertisement

 * FedScoop
 * DefenseScoop
 * CyberScoop
 * StateScoop
 * EdScoop
 * WorkScoop

Advertise Search Close
Search for: Search

Open navigation
 * Topics
   Back
    * Cybercrime
    * Commentary
    * Financial
    * Government
    * Policy
    * Privacy
    * Technology
    * Threats
    * Research
    * Workforce

 * Special Reports
 * Events
 * Podcasts
 * Videos
 * Insights
 * Subscribe to Newsletters
 * Advertise
 * Ukraine

Switch Site
 * FedScoop
 * DefenseScoop
 * CyberScoop
 * StateScoop
 * EdScoop
 * WorkScoop

Subscribe
Advertisement

Subscribe to our daily newsletter.
Subscribe
Close
 * Geopolitics


MICROSOFT: IRANIAN ESPIONAGE CAMPAIGN TARGETED SATELLITE AND DEFENSE SECTORS

Tehran's latest hacking activity involves easy-to-detect techniques to gain
access and then pivoting to stealthier methods.

By AJ Vicens

September 14, 2023

Iranian flag waving with cityscape on background in Tehran, Iran. (Sir Francis
Canker Photography/Getty Images)

An Iranian cyber espionage group successfully compromised dozens of entities and
exfiltrated data from a subset of them as part of a campaign targeting
organizations in the satellite, defense and pharmaceutical sectors, Microsoft
said in a report published Thursday.

The group in question — which Microsoft tracks as Peach Sandstorm but known
otherwise as Holmium, APT33 or Elfin — compromised the accounts as part of a
high volume of password spray attacks, where attackers try one known password
against a list of usernames. The campaign began in February and targeted
thousands of organizations, according to Microsoft.

Microsoft did not say where the targeted organizations are based but noted that
previous Peach Sandstorm activity occurred during a “rise in tensions between
the United States and the Islamic Republic of Iran.” Researchers have linked
some of the group’s previous operations to the devastating destructive Shamoon
malware attacks that targeted Saudi Aramco, the oil company, in 2012 and other
targets in subsequent years.

The news comes on the heels of an incipient deal between the U.S. and Iranian
governments that would allow banks to transfer $6 billion in frozen Iranian oil
funds and see U.S. authorities release of five Iranian citizens held in the
United States in exchange for the release of five American citizens detained in
Iran, the Washington Post reported Monday.

Advertisement


The hacking activity disclosed on Monday took place between February and July
this year, and Microsoft said that the hackers used the access they gained to
maintain persistence on breached systems and carry out other, unspecified
activity. Password spray attacks are noisy and easy to detect, but Microsoft
researchers said that the activity is concerning because once the hackers gain
access, they are in some cases pivoting toward stealthier, more sophisticated
methods that represent an increase in capability compared to Peach Sandstorm’s
past activity.

Researchers observed two pathways into targeted organizations associated with
the campaign. The first, via the password spray route, allowed researchers to
learn more about the campaign, showing, for instance, that the activity occurred
almost exclusively between 9 a.m. and 5 p.m. Iran Standard Time. The second
pathway saw the group attempt to exploit a pair of vulnerabilities from 2022
affecting a subset of on-premises Zoho ManageEngine products and the Confluence
Server and Data Center.

WRITTEN BY AJ VICENS

AJ covers nation-state threats and cybercrime. He was previously a reporter at
Mother Jones. Get in touch via Signal/WhatsApp: (810-206-9411).

IN THIS STORY

 * APT33
 * cyber espionage
 * Iran
 * Microsoft
 * Shamoon

Share
 * Facebook
 * LinkedIn
 * Twitter
 * Copy Link

Advertisement

Advertisement



MORE LIKE THIS


 1. CHINA TURNS TO AI IN HOPES OF CREATING VIRAL ONLINE PROPAGANDA, MICROSOFT
    RESEARCHERS SAY
    
    By AJ Vicens


 2. MYSTERY SOLVED? MICROSOFT THINKS IT KNOWS HOW CHINESE HACKERS STOLE ITS
    SIGNING KEY
    
    By Elias Groll


 3. DHS WARNS OF MALICIOUS AI USE AGAINST CRITICAL INFRASTRUCTURE
    
    By Christian Vasquez

Advertisement



TOP STORIES


 1. GROUPS LINKED TO LAS VEGAS CYBER ATTACKS ARE PROLIFIC CRIMINAL HACKING GANGS
    
    By AJ Vicens

Advertisement



MORE SCOOPS

Iran’s President Ebrahim Raisi speaks during a meeting with Cuba’s president
Miguel Diaz Canel (out of frame) at the Revolution Palace in Havana, on June 15,
2023. (Photo by YAMIL LAGE / AFP)


THE POTENT CYBER ADVERSARY THREATENING TO FURTHER INFLAME IRANIAN POLITICS

A group calling itself GhyamSarnegouni has entered the Iranian cyber fray with a
damaging hack-and-leak operation against the government.
By AJ Vicens
People march with Iranian flags and with signs during a rally marking Al-Quds
Day (Jerusalem), a commemorative day held annually on the last Friday of the
Muslim fasting month of Ramadan by an initiative started by late Iranian
revolutionary leader Ayatollah Ruhollah Khomeini, in Tehran on April 14, 2023.
(Photo by AFP / Getty Images)


MICROSOFT SAYS IRANIAN HACKERS COMBINE INFLUENCE OPS WITH HACKING FOR MAXIMUM
IMPACT

By AJ Vicens
Members of the scientific police unit enter the Embassy of the Islamic Republic
of Iran in Tirana on September 8, 2022. Albania broke diplomatic ties with Iran
on September 8 over an alleged cyberattack against the government this summer,
as Washington vowed to hold Tehran accountable for targeting its NATO ally.
(Photo by GENT SHKULLAKU/AFP via Getty Images)


U.S. SANCTIONS IRANIAN MINISTRY OF INTELLIGENCE IN RESPONSE TO ALBANIAN
CYBERATTACK


SPRAWLING, MULTI-YEAR IRANIAN CYBERESPIONAGE AND SURVEILLANCE GROUP EXPOSED IN
NEW REPORT


IRANIAN HACKING CAMPAIGN THAT INCLUDED FORMER U.S. AMBASSADOR EXPOSED


PREVIOUSLY UNREPORTED LEBANON-BASED HACKING GROUP TARGETING ISRAEL, MICROSOFT
SAYS


OFFENSE WILL WIN SOME BATTLES, BUT CYBER DEFENSE WILL WIN THE WAR

By Selena Larson


LATEST PODCASTS

HOW TROY HUNT KNOWS IF YOU’VE BEEN HACKED AND WASHINGTON TRIES TO UNDERSTAND AI

WHY PIG BUTCHERING IS THE WORST KIND OF ONLINE SCAM

HOW THE FBI FIGHTS RANSOMWARE

TEN YEARS OF I AM THE CAVALRY, A MICROSOFT MYSTERY REVEALED AND TRICKBOT
SANCTIONS


TECHNOLOGY

 * Bruce Schneier gets inside the hacker's mind
 * Fifty minutes to hack ChatGPT: Inside the DEF CON competition to break AI
 * Hackers are increasingly hiding within services such as Slack and Trello to
   deploy malware
 * Tech advocacy groups want a zero-trust framework to protect the public from
   AI


GOVERNMENT

 * CISA advisory committee urges action on cyber alerts and corporate boards
 * Washington summit grapples with securing open source software
 * Intelligence community to meet with civil liberties groups on controversial
   surveillance tool
 * White House is fast-tracking executive order on artificial intelligence


THREATS

 * US, UK take action against members of the Russian-linked Trickbot hacker
   syndicate
 * Multiple nation-state hackers infiltrate single aviation organization
 * Researchers identify high-grade phishing kits attacking nearly 60,000
   Microsoft 365 accounts
 * 'Five Eyes' nations release technical details of Sandworm malware 'Infamous
   Chisel'


POLICY

 * DOE launches cyber contest to benefit rural utilities
 * Presidential council recommends launching a Department of Water to confront
   cyberthreats, climate change
 * Feds to hackers in Vegas: Help us, you're our only hope
 * CISA's strategic plan adheres to overall Biden administration direction on
   cybersecurity

Advertisement

About Us
 * FedScoop
 * DefenseScoop
 * StateScoop
 * EdScoop
 * CyberScoop
 * WorkScoop

 * Newsletters
 * Advertise with us
 * Ad specs
 * (202) 887-8001
 * hello@cyberscoop.com

 * FB
 * TW
 * LinkedIn
 * IG

Close Ad

Continue to CyberScoop