Peach Sandstorm [2] [3] [4] [5] [6] [7] [8] [9], also known as HOLMIUM and APT33, is an Iranian state-operated cyberespionage group that has been conducting a global cyber-espionage campaign since at least 2013. They target organizations in various industries [9], including satellite [9], defense [2] [3] [4] [5] [6] [7] [8] [9], government [1] [3] [9], health care [1], pharmaceuticals [2] [3] [4] [5] [6] [7], and transportation [1].
Description
Peach Sandstorm employs various tactics in their cyber-espionage activities. They utilize cloud-based password spraying attacks and exploit known vulnerabilities. Additionally, they employ tools like AzureHound and Roadtools for reconnaissance and data gathering [9]. To maintain persistence in target environments [4] [6] [7] [9], they create new Azure subscriptions or use compromised resources [9]. Remote access is maintained through tools like AnyDesk RMM and a custom tool called EagleRelay for tunneling traffic back to their command and control infrastructure [9].
Of particular concern is their use of legitimate credentials obtained through password spray attacks [5] [7] [9], which allows them to authenticate and persist in target environments. Since at least September 2020, Peach Sandstorm has been observed deploying ransomware. They have previously targeted the aerospace, energy [2], transportation [1], and pharmaceutical sectors with spear-phishing attacks and have been observed using the SHAPESHIFT wiper malware [2]. Most of their activity occurs between 9:00 AM and 5:00 PM Iran Standard Time [2], aligning with an Iranian pattern of life [2].
Conclusion
Organizations must develop defenses to protect against Peach Sandstorm’s cyber-espionage activities. It is crucial to reset passwords, revoke session cookies [5] [8], strengthen multifactor authentication [5] [8], maintain strong credential hygiene [5] [8], monitor for identity-based risks [8], transition to passwordless authentication methods [8], and secure Active Directory FS servers [8]. By implementing these measures, organizations can raise the costs for the threat actor and mitigate the impact of their attacks. Looking ahead, it is important to stay vigilant and adapt to evolving cyber threats.
References
[1] https://www.rferl.org/a/iran-cyberattaks-us-critical/31567511.html
[2] https://thehackernews.com/2023/09/iranian-nation-state-actors-employ.html
[3] https://www.csoonline.com/article/652668/iranian-cyberspies-target-thousands-of-organizations-with-password-spray-attacks.html
[4] https://thecyberwire.com/podcasts/daily-podcast/1907/transcript
[5] https://www.darkreading.com/application-security/microsoft-peach-sandstorm-cyberattacks-target-defense-pharmaceutical-orgs
[6] https://flyytech.com/2023/09/16/iranian-threat-group-hits-thousands-with-password-spray-campaign/
[7] https://www.infosecurity-magazine.com/news/iranian-threat-group-thousands/
[8] https://thecyberthrone.in/2023/09/16/peach-sandstorm-apt-from-iran/
[9] https://duo.com/decipher/iranian-threat-group-targets-cloud-with-password-spraying-attacks
