The Iranian government-backed hacking group known as APT 33 has been active for more than 10 years, conducting aggressive espionage operations against a diverse array of public and private sector victims around the world, including critical infrastructure targets. And while the group is particularly known for strategic but technically simple attacks like “password spraying,” it has also dabbled in developing more sophisticated hacking tools, including potentially destructive malware tailored to disrupt industrial control systems. Now, findings from Microsoft released on Wednesday indicate that the group is continuing to evolve its techniques with a new multistage backdoor.
Microsoft Threat Intelligence says that the group, which it calls Peach Sandstorm, has developed custom malware that attackers can use to establish remote access into victim networks. The backdoor, which Microsoft named “Tickler” for some reason, infects a target after the hacking group gains initial access via password spraying or social engineering. Beginning in April and as recently as July, the researchers observed Peach Sandstorm deploying the backdoor against victims in sectors including satellite, communications equipment, and oil and gas. Microsoft also says that the group has used the malware to target federal and state government entities in the United States and the United Arab Emirates.
“We are sharing our research on Peach Sandstorm’s use of Tickler to raise awareness of this threat actor’s evolving tradecraft,” Microsoft Threat Intelligence said on Wednesday in its report. “This activity is consistent with the threat actor’s persistent intelligence gathering objectives and represents the latest evolution of their longstanding cyber operations.”
The researchers observed Peach Sandstorm deploying Tickler and then manipulating victim Azure cloud infrastructure using the hackers’ Azure subscriptions to gain full control of target systems. Microsoft says that it has notified customers who were impacted by the targeting the researchers observed.
The group has also continued its low-tech password spraying attacks, according to Microsoft, in which hackers attempt to access many target accounts by guessing leaked or common passwords until one lets them in. Peach Sandstorm has been using this technique to gain access to target systems both to infect them with the Tickler backdoor and for other types of espionage operations. Since February 2023, the researchers say they have observed the hackers “carrying out password spray activity against thousands of organizations.” And in April and May 2024, Microsoft observed Peach Sandstorm using password spraying to target United States and Australian organizations that are in the space, defense, government, and education, sectors.
For the full read, visit WIRED.