A new Microsoft report documents new activity by an old state-backed threat group that won’t go away. A team of Iranian hackers that has been active since at least 2012 has been on a recent streak of targeting defense organizations, pharmaceutical companies and other high-value targets that might have valuable research to appropriate. APT33, or “Peach Sandstorm” as Microsoft likes to call them, is making password spray attacks one of its primary tools of forced entry.
The technique provides an interesting contrast, as it is extremely visible and easy to detect initially yet provides for a safe means of dwelling on target systems for months once credentials are actually captured. The Iranian hackers were most active from February to July and also have a series of documented vulnerabilities that they hone in on.
Iranian hackers having great success with password spray attacks
Password spray attacks are relatively simple, provided one has a good botnet to launch them from, but they have been sharply on the rise in recent years and have proven successful enough for even advanced nation-state threat groups to adopt. They seem to be particularly successful against large enterprise companies, likely because there will be at least one employee that has a weak password or re-uses something that has been exposed in a prior data breach.
The attacks make a lot of initial noise, definitely the sort of thing defense organizations or similar high-level targets will notice. But once some working credentials have been verified, the Iranian hackers can slip below the radar for extended periods. Unique and strong passwords are usually an adequate defense against this approach, particularly when combined with MFA. However, not all organizations are on board the MFA train just yet, nor are enforcing complex passwords and routinely checking for leaks.
Defense organizations, satellites compromised by relatively simple attacks
The Iranian hackers have been in action since 2013, and have been known to use password spray attacks for at least several years now. They are identified by target selection (resources in the US/Europe and rival Middle East nations), custom malware and the fact that the group almost exclusively operates from 9 AM to 5 PM in Iran. The most recent campaign appears to have a particular focus on defense organizations, satellites and pharmaceutical companies.
Though the Iranian hackers have used password spray attacks for some time, they now appear to be more sophisticated and capable of running more login attempts in a short time than ever before. Microsoft reports that the campaign from February to July involved thousands of attacks, and that the group is increasingly looking for weak links in vendor supply chains rather than going directly at “hard targets” like defense organizations.
In addition to password spray attacks, the group actively seeks out and exploits documented vulnerabilities in Confluence and Zoho products. Once it obtains credentials, the group looks directly to Azure as a means of moving throughout the environment via newly created subscriptions. It also heavily targets Office 365 accounts, though Microsoft reports it has had much less success in that area.