cyberscoop.com
Open in
urlscan Pro
13.224.103.129
Public Scan
URL:
https://cyberscoop.com/iran-peach-sandstorm-apt33/
Submission: On September 15 via api from TR — Scanned from DE
Submission: On September 15 via api from TR — Scanned from DE
Form analysis
1 forms found in the DOMGET https://cyberscoop.com/
<form role="search" id="searchform" class="site-search" method="get" action="https://cyberscoop.com/">
<meta itemprop="target" content="https://cyberscoop.com/?s={s}">
<label class="screen-reader-text" for="search-field"> Search for: </label>
<input class="site-search__input js-site-search-input" itemprop="query-input" type="text" id="search-field" value="" placeholder="Search news, people, podcasts, videos" name="s">
<button class="site-search__button">
<svg class="icon icon--search" width="19" height="19" fill="none" viewBox="0 0 19 19" xmlns="http://www.w3.org/2000/svg">
<path
d="M7.9.7a6.805 6.805 0 0 0-6.8 6.8c0 3.752 3.048 6.8 6.8 6.8a6.757 6.757 0 0 0 3.975-1.288l5.262 5.25 1.125-1.125-5.2-5.212A6.77 6.77 0 0 0 14.7 7.5c0-3.752-3.048-6.8-6.8-6.8Zm0 .8c3.319 0 6 2.681 6 6s-2.681 6-6 6-6-2.681-6-6 2.681-6 6-6Z"
fill="currentColor" stroke="currentColor"></path>
</svg>
<span class="visually-hidden">Search</span>
</button>
</form>
Text Content
Skip to main content Advertisement * FedScoop * DefenseScoop * CyberScoop * StateScoop * EdScoop * WorkScoop Advertise Search Close Search for: Search Open navigation * Topics Back * Cybercrime * Commentary * Financial * Government * Policy * Privacy * Technology * Threats * Research * Workforce * Special Reports * Events * Podcasts * Videos * Insights * Subscribe to Newsletters * Advertise * Ukraine Switch Site * FedScoop * DefenseScoop * CyberScoop * StateScoop * EdScoop * WorkScoop Subscribe Advertisement Subscribe to our daily newsletter. Subscribe Close * Geopolitics MICROSOFT: IRANIAN ESPIONAGE CAMPAIGN TARGETED SATELLITE AND DEFENSE SECTORS Tehran's latest hacking activity involves easy-to-detect techniques to gain access and then pivoting to stealthier methods. By AJ Vicens September 14, 2023 Iranian flag waving with cityscape on background in Tehran, Iran. (Sir Francis Canker Photography/Getty Images) An Iranian cyber espionage group successfully compromised dozens of entities and exfiltrated data from a subset of them as part of a campaign targeting organizations in the satellite, defense and pharmaceutical sectors, Microsoft said in a report published Thursday. The group in question — which Microsoft tracks as Peach Sandstorm but known otherwise as Holmium, APT33 or Elfin — compromised the accounts as part of a high volume of password spray attacks, where attackers try one known password against a list of usernames. The campaign began in February and targeted thousands of organizations, according to Microsoft. Microsoft did not say where the targeted organizations are based but noted that previous Peach Sandstorm activity occurred during a “rise in tensions between the United States and the Islamic Republic of Iran.” Researchers have linked some of the group’s previous operations to the devastating destructive Shamoon malware attacks that targeted Saudi Aramco, the oil company, in 2012 and other targets in subsequent years. The news comes on the heels of an incipient deal between the U.S. and Iranian governments that would allow banks to transfer $6 billion in frozen Iranian oil funds and see U.S. authorities release of five Iranian citizens held in the United States in exchange for the release of five American citizens detained in Iran, the Washington Post reported Monday. Advertisement The hacking activity disclosed on Monday took place between February and July this year, and Microsoft said that the hackers used the access they gained to maintain persistence on breached systems and carry out other, unspecified activity. Password spray attacks are noisy and easy to detect, but Microsoft researchers said that the activity is concerning because once the hackers gain access, they are in some cases pivoting toward stealthier, more sophisticated methods that represent an increase in capability compared to Peach Sandstorm’s past activity. Researchers observed two pathways into targeted organizations associated with the campaign. The first, via the password spray route, allowed researchers to learn more about the campaign, showing, for instance, that the activity occurred almost exclusively between 9 a.m. and 5 p.m. Iran Standard Time. The second pathway saw the group attempt to exploit a pair of vulnerabilities from 2022 affecting a subset of on-premises Zoho ManageEngine products and the Confluence Server and Data Center. WRITTEN BY AJ VICENS AJ covers nation-state threats and cybercrime. He was previously a reporter at Mother Jones. Get in touch via Signal/WhatsApp: (810-206-9411). IN THIS STORY * APT33 * cyber espionage * Iran * Microsoft * Shamoon Share * Facebook * LinkedIn * Twitter * Copy Link Advertisement Advertisement MORE LIKE THIS 1. CHINA TURNS TO AI IN HOPES OF CREATING VIRAL ONLINE PROPAGANDA, MICROSOFT RESEARCHERS SAY By AJ Vicens 2. MYSTERY SOLVED? MICROSOFT THINKS IT KNOWS HOW CHINESE HACKERS STOLE ITS SIGNING KEY By Elias Groll 3. DHS WARNS OF MALICIOUS AI USE AGAINST CRITICAL INFRASTRUCTURE By Christian Vasquez Advertisement TOP STORIES 1. GROUPS LINKED TO LAS VEGAS CYBER ATTACKS ARE PROLIFIC CRIMINAL HACKING GANGS By AJ Vicens Advertisement MORE SCOOPS Iran’s President Ebrahim Raisi speaks during a meeting with Cuba’s president Miguel Diaz Canel (out of frame) at the Revolution Palace in Havana, on June 15, 2023. (Photo by YAMIL LAGE / AFP) THE POTENT CYBER ADVERSARY THREATENING TO FURTHER INFLAME IRANIAN POLITICS A group calling itself GhyamSarnegouni has entered the Iranian cyber fray with a damaging hack-and-leak operation against the government. By AJ Vicens People march with Iranian flags and with signs during a rally marking Al-Quds Day (Jerusalem), a commemorative day held annually on the last Friday of the Muslim fasting month of Ramadan by an initiative started by late Iranian revolutionary leader Ayatollah Ruhollah Khomeini, in Tehran on April 14, 2023. (Photo by AFP / Getty Images) MICROSOFT SAYS IRANIAN HACKERS COMBINE INFLUENCE OPS WITH HACKING FOR MAXIMUM IMPACT By AJ Vicens Members of the scientific police unit enter the Embassy of the Islamic Republic of Iran in Tirana on September 8, 2022. Albania broke diplomatic ties with Iran on September 8 over an alleged cyberattack against the government this summer, as Washington vowed to hold Tehran accountable for targeting its NATO ally. (Photo by GENT SHKULLAKU/AFP via Getty Images) U.S. SANCTIONS IRANIAN MINISTRY OF INTELLIGENCE IN RESPONSE TO ALBANIAN CYBERATTACK SPRAWLING, MULTI-YEAR IRANIAN CYBERESPIONAGE AND SURVEILLANCE GROUP EXPOSED IN NEW REPORT IRANIAN HACKING CAMPAIGN THAT INCLUDED FORMER U.S. AMBASSADOR EXPOSED PREVIOUSLY UNREPORTED LEBANON-BASED HACKING GROUP TARGETING ISRAEL, MICROSOFT SAYS OFFENSE WILL WIN SOME BATTLES, BUT CYBER DEFENSE WILL WIN THE WAR By Selena Larson LATEST PODCASTS HOW TROY HUNT KNOWS IF YOU’VE BEEN HACKED AND WASHINGTON TRIES TO UNDERSTAND AI WHY PIG BUTCHERING IS THE WORST KIND OF ONLINE SCAM HOW THE FBI FIGHTS RANSOMWARE TEN YEARS OF I AM THE CAVALRY, A MICROSOFT MYSTERY REVEALED AND TRICKBOT SANCTIONS TECHNOLOGY * Bruce Schneier gets inside the hacker's mind * Fifty minutes to hack ChatGPT: Inside the DEF CON competition to break AI * Hackers are increasingly hiding within services such as Slack and Trello to deploy malware * Tech advocacy groups want a zero-trust framework to protect the public from AI GOVERNMENT * CISA advisory committee urges action on cyber alerts and corporate boards * Washington summit grapples with securing open source software * Intelligence community to meet with civil liberties groups on controversial surveillance tool * White House is fast-tracking executive order on artificial intelligence THREATS * US, UK take action against members of the Russian-linked Trickbot hacker syndicate * Multiple nation-state hackers infiltrate single aviation organization * Researchers identify high-grade phishing kits attacking nearly 60,000 Microsoft 365 accounts * 'Five Eyes' nations release technical details of Sandworm malware 'Infamous Chisel' POLICY * DOE launches cyber contest to benefit rural utilities * Presidential council recommends launching a Department of Water to confront cyberthreats, climate change * Feds to hackers in Vegas: Help us, you're our only hope * CISA's strategic plan adheres to overall Biden administration direction on cybersecurity Advertisement About Us * FedScoop * DefenseScoop * StateScoop * EdScoop * CyberScoop * WorkScoop * Newsletters * Advertise with us * Ad specs * (202) 887-8001 * hello@cyberscoop.com * FB * TW * LinkedIn * IG Close Ad Continue to CyberScoop