Microsoft: Iranian hackers targeting ‘high-profile’ experts on Middle East

“High-profile” experts working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the U.K. and the U.S. have been targeted by hackers allegedly connected to the Iranian government, according to a new report from Microsoft.

In a blog post, Microsoft’s Threat Intelligence team said that since November a subset of a hacking group they call Mint Sandstorm has used “bespoke phishing lures in an attempt to socially engineer targets into downloading malicious files.”

Microsoft said some incidents it has observed involved new tools it had not seen before.

“Operators associated with this subgroup of Mint Sandstorm are patient and highly skilled social engineers whose tradecraft lacks many of the hallmarks that allow users to quickly identify phishing emails. In some instances of this campaign, this subgroup also used legitimate but compromised accounts to send phishing lures,” Microsoft said.

“Additionally, Mint Sandstorm continues to improve and modify the tooling used in targets’ environments, activity that might help the group persist in a compromised environment and better evade detection.”

Evidence from several incidents shows the most recent campaign is tied to the current conflict in Gaza. Some of the phishing lures seen involve the Israel-Hamas war, and Microsoft researchers believe the goal is to get a variety of inside perspectives on the conflict.

Mint Sandstorm is known by other researchers as APT35 or Charming Kitten and is believed to be tied to the Islamic Revolutionary Guard Corps (IRGC), an intelligence arm of Iran’s military. The targets of their campaigns typically have access to information important to leaders in Tehran.

More Coverage: Threat-hunter says Iran is stepping up the sophistication of its cyberattacks

In the past, Microsoft researchers have seen members of the group go after journalists, researchers, professors, or other people with “resource-intensive social engineering campaigns.”

“In this campaign, Mint Sandstorm masqueraded as high-profile individuals including as a journalist at a reputable news outlet,” they added.

“In some cases, the threat actor used an email address spoofed to resemble a personal email account belonging to the journalist they sought to impersonate and sent benign emails to targets requesting their input on an article about the Israel-Hamas war.”

Several other cases involved legitimate but compromised email accounts belonging to the people they attempted to impersonate. Some of the initial emails did not carry any malicious content as the hackers sought to develop a relationship with their targets before beginning the espionage process.

Once a target agreed to look at an article or document, the hackers sent a link to a malicious domain that took the victim to a .rar file allegedly containing the documents.

These kinds of tactics “might have played a role in the success of this campaign,” Microsoft noted. In several cases, the hackers dropped custom backdoors onto victim systems allowing them to maintain their access.

One backdoor tool — named MediaPL — is a custom-made tool that is built to masquerade as Windows Media Player, an application used to store and play audio and video files. The backdoor can send encrypted communications to a hacker-controlled server, terminate itself or launch commands.

“The ability to obtain and maintain remote access to a target’s system can enable Mint Sandstorm to conduct a range of activities that can adversely impact the confidentiality of a system,” they said.

“Compromise of a targeted system can also create legal and reputational risks for organizations affected by this campaign. In light of the patience, resources, and skills observed in campaigns attributed to this subgroup of Mint Sandstorm, Microsoft continues to update and augment our detection capabilities to help customers defend against this threat.”

In November and December, several leading cybersecurity agencies in the U.S. warned of a campaign from a hacking group allegedly connected to the IRGC targeting U.S. water utilities.

U.S. President Joe Biden said on Saturday that the White House sent a private message to Iran about several recent incidents involving attacks on commercial ships in the Red Sea.