Iranian state hackers targeted satellite, defense organizations worldwide

Hackers linked to Iran’s government targeted thousands of organizations in the satellite, defense, and pharmaceutical industries as part of an espionage campaign, according to new research.

The hacking group behind the attacks, tracked by Microsoft as Peach Sandstorm, successfully compromised some targeted organizations and stole their data, according to a report published Thursday by the tech giant.

Microsoft didn't reveal which countries were targeted. Recent attacks linked to Iran have focused mainly on Israel, the U.S., Brazil, and the United Arab Emirates.

In its new campaign, which ran from February to July, Peach Sandstorm used a combination of publicly available and custom tools to compromise its targets and collect intelligence “in support of Iranian state interests,” Microsoft said.

To break into their victims' accounts, hackers used a technique called "password spraying," where they tried a single password or a list of commonly used passwords to gain unauthorized access to the targets' devices.

As simple as it sounds, this technique allows attackers to increase their chances of success and reduce the risk of triggering automatic account lockouts, Microsoft said.

Peach Sandstorm — which was formerly tracked as Holmium — also used password spraying in its previous attacks, which included targeting industries such as aerospace, defense, chemicals, and mining.

When the group manages to compromise the target, its attacks become more sophisticated. For example, Microsoft noticed the hackers using the company's AzureHound and Roadtools tools to collect information from a victim's system, access data in a target's cloud environment, and transfer specific data of interest to a single database.

The hackers also installed the Azure Arc client on a compromised device and linked it to their own Azure subscription, giving them control over targeted devices from the hackers' cloud infrastructure.

Peach Sandstorm also tried to take advantage of publicly-known vulnerabilities, such as the one in Zoho ManageEngine, a service used for IT service management, and the team collaboration tool Confluence.

Peach Sandstorm also used AnyDesk, a commercial remote monitoring and management tool, to keep access to its targets. U.S. cybersecurity authorities have warned against the misuse of such tools, as they are “an easy way to circumvent security systems and establish longstanding access to victim networks.”

“The capabilities observed in this campaign are concerning,” Microsoft said, and even initial access by foreign hackers “could adversely impact the victims.”

This week, researchers found a new backdoor tool used by suspected Iranian hackers against targets in Brazil, Israel, and the UAE. The hacker group, known as Ballistic Bobcat or Charming Kitten, deployed this tool between March 2021 and June 2022, targeting at least 34 victims, mostly in Israel, according to cybersecurity company ESET.

A recent report by Microsoft also said that Iranian state-backed hackers are increasingly using influence operations to amplify the impact of conventional cyberattacks and promote Tehran's political agenda in Israel and the U.S.