An Iranian hacking group went on the offensive against U.S. targets, Microsoft says

Analysis by Tim Starks with research by David DiMolfetta

An Iranian government-linked hacking group previously known for its focus on reconnaissance has shifted to targeting U.S. critical infrastructure, potentially with the goal of launching destructive cyberattacks, Microsoft said in a report today.

The change in approach began in 2021 and coincided with a period when Iran suffered cyberattacks for which it blamed Israel and the United States, Microsoft noted.

Microsoft says the hackers are a subgroup of an outfit they’re calling Mint Sandstorm, stemming from a new naming system for hacking groups that the company is debuting today. It previously called the group Phosphorus, and other cybersecurity firms call it Charming Kitten, APT 35, APT 42 and TA453. 

“Mint Sandstorm is known for going after dissidents, activists, the defense industrial base,” John Lambert, who leads Microsoft’s consolidated intelligence and research teams for Microsoft Security, told me.

“We saw a marked shift to U.S. critical infrastructure … where multiple seaports, transportation, the energy sector, were targeted for access.

“One assessment could be that this is pre-positioning for access to critical infrastructure in the United States, to be ready for some retaliatory action should the order be given,” he said.

Lambert said that Microsoft had seen successful intrusions from the group in multiple sectors. 

The backdrop

Microsoft sees a broader shift among Iranian hackers.

“This targeting also coincided with a broader increase in the pace and the scope of cyberattacks attributed to Iranian threat actors, including another Mint Sandstorm subgroup, that Microsoft observed beginning in September 2021,” the Microsoft report reads.

“The increased aggression of Iranian threat actors appeared to correlate with other moves by the Iranian regime under a new national security apparatus, suggesting such groups are less bounded in their operations,” the report states.

“Given the hard line consensus among policymakers in Tehran and sanctions previously levied on Iran’s security organizations, Mint Sandstorm subgroups may be less constrained in carrying out malicious cyber activity.”

Security researchers have concluded that Mint Sandstorm is tied to the Islamic Revolutionary Guard Corps (IRGC). Iran has denied carrying out cyberattacks.

Other cyber firms have taken note of Mint Sandstorm’s increased aggression. Proofpoint said in December that the group had expanded its target list to include politicians, government officials and medical researchers. But Proofpoint also said that a sub-cluster of the group was acting in support of the IRGC’s murder-for-hire and kidnapping plots.

“TA453, like its fellow advanced persistent threat actors engaged in espionage, is in a constant state of flux regarding its tools, tactics, techniques, and targeting,” the Proofpoint report concluded.

“Adjusting its approaches, likely in response to ever-changing and expanding priorities, the outlier campaigns are likely to continue and reflect IRGC intelligence-collection requirements, including possible support for hostile, and even kinetic, operations.”

Mint Sandstorm’s newfound aggressiveness overlapped with a series of actual or apparent cyberattacks in Iran. In 2020, cyber and intelligence officials believe Israel carried out an attack on an Iranian port facility, my colleagues Joby Warrick and Ellen Nakashima reported.

In 2021, hackers breached and disrupted an Iranian rail network.

Perhaps most significantly, also in 2021, Iran’s civil defense chief blamed Israel and the United States as the likely parties behind an attack on Iran’s national fuel distribution system.

Additionally, the subgroup “displays more remarkable technical and operational sophistication” within Mint Sandstorm, Lambert said. Once a proof-of-concept for an exploit is published to demonstrate the use of a security flaw, the subgroup quickly weaponizes it, he said.

That kind of attack would give hackers “a very privileged position inside the target network, [and] typically would have elevated credentials right away,” he said, putting them in a position to do more harm.

The subgroup also has developed their own hacking tools, rather than relying on the tools of others, Microsoft says. That custom malware shows off the group’s “operational flexibility,” Lambert said.

Microsoft says the targeting of critical infrastructure continued through mid-2022, but since then the group seemingly has focused on volume of victims.

New names

Microsoft has historically named hacking groups after chemical elements on the periodic table. Now, it’ll use weather in a bid to provide more information in the names themselves. For instance, while Sandstorm will indicate an Iranian group, Blizzard will indicate Russia and Flood will indicate influence operations. The first part of the name will be a color or pattern.

In addition to the desire to provide more information in the names, Lambert said, Microsoft is responding to customers who have complained it’s hard to search the web for the old names. “If you search for Zinc, you might find sunscreen,” he said.