Iranian Government-Supported Hackers Target US Energy and Transit Systems
An Iranian government-backed actor known as Mint Sandstorm has been linked to attacks aimed at critical infrastructure in the US between late 2021 and mid-2022.
“The Mint Sandstorm subgroup is technically and operationally mature, able to develop bespoke tooling and quickly weaponize N-day vulnerabilities, and has demonstrated agility in its operational focus, which appears to be in line with Iran’s national priorities,” Microsoft’s Threat Intelligence team said in an analysis.
The entities targeted included seaports, energy companies, transit systems, and major US utilities and gas companies. The activity was allegedly in retaliation and in response to attacks targeting maritime payment systems, rail and gas stations that occurred between May 2020 and late 2021.
It should be noted here that Iran was later accused Israel and the US orchestrated the attack on the gas station in an attempt to create unrest in the country.
Mint Sandstorm is the new name given to a threat actor previously tracked by Microsoft under the name Phosphorus, and is also known as APT35, Charming Kitten, ITG18, TA453, and Yellow Garuda.
That nomenclature changes is part of Microsoft’s shift from its chemical elements-inspired moniker to a new one weather themed threat actor naming taxonomypartly driven by increasing “complexity, scale and volume of threats”.
Unlike MuddyWater (aka Mercury or Mango Sandstorm), which are known to operate on behalf of Iran’s Ministry of Intelligence and Security (MOIS), Mint Sandstorm is said to be linked to the Islamic Revolutionary Guard Corps (IRGC).
The attacks detailed by Redmond demonstrate an adversary’s ability to continually refine its tactics as part of a highly targeted phishing campaign to gain access to targeted environments.
This includes rapid adoption of publicly disclosed proof-of-concepts (PoCs) regarding vulnerabilities in internet-facing applications (e.g., CVE-2022-47966 and CVE-2022-47986) into their playbooks for early access and persistence .
A successful breach is followed by the implementation of a custom PowerShell script, which is then used to activate one of two attack chains, the first of which relies on additional PowerShell scripts to connect to remote servers and steal Active Directory databases.
Master the Art of Dark Web Intelligence Gathering
Learn the art of extracting threat intelligence from the dark web – Join this expert-led webinar!
The other sequence requires using Impacket to connect to an actor-controlled server and using a bespoke implant called Drokbk and Soldier, with the latter being a nested .NET backdoor with the ability to download and run tools and uninstall them yourself.
Drokbk was previously detailed by the Secureworks Counter Threat Unit (CTU) in December 2022, linking it to a threat actor known as Nemesis Kitten (aka Cobalt Mirage, TunnelVision, or UNC2448), a sub-cluster of Mint Sandstorm.
Microsoft also called out threat actors for a low-volume phishing campaign that culminated in the use of a third custom and modular backdoor called CharmPower, a PowerShell-based malware that can read files, gather host information, and extract data.
“The capabilities observed in this intrusion attributed to the Mint Sandstorm subgroup are cause for concern because they allow operators to conceal C2 communications, persist in compromised systems, and use a variety of post-compromise tools with varying capabilities,” the tech giant added.
