Peach Sandstorm Iranian APT hackers use password spraying to target satellite, defense, pharmaceutical sectors

Microsoft researchers shared insights into the Iranian nation-state hacker Peach Sandstorm (APT33, Refined Kitten) campaign that is targeting predominantly satellite, defense, and pharmaceutical sectors. These hackers are using sophisticated methods including password spray tactics and customized tools for data exfiltration, with Microsoft suggesting the campaign facilitates Iranian intelligence collection. 

“Since February 2023, Microsoft has observed password spray activity against thousands of organizations carried out by an actor we track as Peach Sandstorm (HOLMIUM),” the Microsoft researchers wrote in a Thursday blog post. “Peach Sandstorm is an Iranian nation-state threat actor who has recently pursued organizations in the satellite, defense, and pharmaceutical sectors around the globe. Based upon the profile of victim organizations targeted and the observed follow-on intrusion activity, Microsoft assesses that this initial access campaign is likely used to facilitate intelligence collection in support of Iranian state interests.”

Microsoft added that in cases where the hackers successfully authenticated to an account, it observed that the group used a combination of publicly available and custom tools for discovery, persistence, and lateral movement. “In a small number of intrusions, Peach Sandstorm was observed exfiltrating data from the compromised environment.”

Given the volume of activity, ongoing attempts to access targets of interest, and risks associated with post-compromise activity, Microsoft is reporting on this campaign to raise awareness of recent Peach Sandstorm tradecraft and empower organizations to harden their attack surfaces and defend against this activity, the post outlined. “As with any observed nation-state actor activity, Microsoft directly notifies customers that have been targeted or compromised by Peach Sandstorm and provides them with the information they need to secure their accounts.”

Throughout 2023, the Iranian APT group has consistently demonstrated interest in organizations in the satellite, defense, and to a lesser extent, pharmaceutical sectors. In past attacks, Peach Sandstorm has pursued targets in the aviation, construction, defense, education, energy, financial services, healthcare, government, satellite, and telecommunications sectors. Activity that Microsoft attributes to Peach Sandstorm overlaps with public reporting on groups known as APT33, Elfin, and Refined Kitten.

The Microsoft researchers outlined that in the initial phase of this campaign, Peach Sandstorm conducted password spray campaigns against thousands of organizations across several sectors and geographies. “While Microsoft observed several organizations previously targeted by Peach Sandstorm, the volume of activity and range of organizations suggests that at least a subset of the initial activity is opportunistic. In past operations, Peach Sandstorm relied heavily, but not exclusively, on password spray attacks as a means of gaining access to targets of interest.” 

In some cases, the researchers said that Peach Sandstorm has used this tradecraft to compromise an intermediate target and enable access to downstream environments. “As one example, Peach Sandstorm carried out a wave of attacks in 2019 that coincided with a rise in tensions between the United States and the Islamic Republic of Iran,” they added.

Unlike password spray operations which are noisy by definition, a subset of Peach Sandstorm’s 2023 post-compromise activity has been stealthy and sophisticated. Many of the cloud-based tactics, techniques, and procedures (TTPs) seen in these most recent campaigns are materially more sophisticated than the capabilities used by Peach Sandstorm in the past.

Microsoft observed Peach Sandstorm using two distinct sets of TTPs in the early stages of the intrusion lifecycle in 2023 attacks. The researchers added that in the later stages of known compromises, the hacker used different combinations from a set of known TTPs to drop additional tools, move laterally, and exfiltrate data from a target. They used password spray activity, internal reconnaissance with AzureHound or Roadtools, multiple persistence mechanisms, and remote exploitation of vulnerable internet-facing applications. 

The researchers detailed that in a subset of intrusions in this campaign, Peach Sandstorm deployed AnyDesk, a commercial remote monitoring and management tool (RMM) to maintain access to a target. AnyDesk has a range of capabilities that allow users to remotely access a network, persist in a compromised environment, and enable command and control (C2). The convenience and utility of a tool like AnyDesk is amplified by the fact that it might be permitted by application controls in environments where it is used legitimately by IT support personnel or system administrators.

In a March 2023 intrusion, Peach Sandstorm conducted a Golden SAML attack to access a target’s cloud resources, the researchers detailed. “In a Golden SAML attack, an adversary steals private keys from a target’s on-premises Active Directory Federated Services (AD FS) server and uses the stolen keys to mint a SAML token trusted by a target’s Microsoft 365 environment. If successful, a threat actor could bypass AD FS authentication and access federated services as any user,” they added.

In at least one intrusion, Microsoft observed Peach Sandstorm using a legitimate VMWare executable to carry out a search order hijack. DLL search order hijacking allows adversaries to introduce malicious code into an environment in a way that blends in with normal activity.

Additionally, in a handful of environments, Microsoft observed Peach Sandstorm using EagleRelay to tunnel traffic back to their infrastructure. “In these instances, Peach Sandstorm created a new virtual machine in a compromised Azure subscription. These virtual machines were used to run EagleRelay, a custom tool, to tunnel traffic between actor-controlled systems and targets’ systems. In at least one case, Microsoft also saw Peach Sandstorm attempting to move laterally in a compromised environment using remote desktop protocol (RDP),” the researchers added.

In conclusion, Microsoft said that the capabilities observed in this campaign are concerning as it saw that Peach Sandstorm used legitimate credentials (gleaned from password spray attacks) to authenticate to targets’ systems, persist in targets’ environments, and deploy a range of tools to carry out additional activity. 

“While the specific effects in this campaign vary based on the threat actor’s decisions, even initial access could adversely impact the confidentiality of a given environment,” according to the researchers. “Microsoft continues to work across its platforms to identify abuse, take down malicious activity, and implement new proactive protections to discourage malicious actors from using our services. We encourage customers and the industry to report abuse.”

The researchers added that as Peach Sandstorm “increasingly develops and uses new capabilities, organizations must develop corresponding defenses to harden their attack surfaces and raise costs for these attacks. Microsoft will continue to monitor Peach Sandstorm activity and implement robust protections for our customers.”

Last month, Microsoft researchers identified a nation-state activity group tracked as Flax Typhoon, based in China, that is targeting dozens of organizations in Taiwan with the likely intention of performing espionage. Flax Typhoon gains and maintains long-term access to Taiwanese organizations’ networks with minimal use of malware, relying on tools built into the operating system, along with some usually benign software to quietly remain in these networks.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.