An Iranian state-backed APT group named Peach Sandstorm, also known as APT33, Elfin, and Refined Kitten, executed an extensive cyber-espionage operation over a six-month period, targeting thousands of global entities, according to Microsoft. Their campaign, conducted between February and July 2023, involved password spraying techniques, where attackers attempt to authenticate multiple accounts using common passwords.
While the initial attacks affected numerous organizations across sectors and regions, later phases of the campaign demonstrated increased sophistication, with the threat actors employing advanced cloud-based tactics and procedures. APT33‘s primary interests appear to be in satellite technology, defense, and pharmaceutical sectors, with the ultimate goal of gathering intelligence aligned with Iranian state interests.
Microsoft’s report highlighted that during this campaign, some victims had data extracted from their systems. Although the specific types of organizations affected were not disclosed, the APT33 group has shown a particular focus on satellite technology, defense, and pharmaceutical sectors.
The attackers utilized tools like AzureHound and Roadtools to conduct reconnaissance in Microsoft Entra ID environments (formerly Azure Active Directory) and implemented multiple persistence mechanisms, including the use of Azure Arc.
In some instances, the group shifted from password spraying to vulnerability exploitation, targeting remote code execution vulnerabilities in Zoho and Confluence. Additionally, commercial remote monitoring and management tool AnyDesk was deployed to maintain access to certain targets.
Microsoft’s assessment raised concerns about the observed capabilities in this campaign. Peach Sandstorm utilized legitimate credentials obtained through password spray attacks to authenticate to target systems, persist within their environments, and deploy various tools for further activity.
The APT group also created new Azure subscriptions, leveraging this access to conduct additional attacks in other organizations’ environments. The report emphasized the potential adverse impacts, even with initial access, on the confidentiality of a targeted environment.
