Iranian Group APT33 Targets US Organizations in Espionage Attacks

Microsoft Threat Intelligence states that the Iranian hacker group Apt33 conducted large-scale attacks from February 2023, aimed at stealing passwords and sensitive information.

According to Microsoft, the Iranian hacker group APT33 (also known as Peach Sandstorm, Holmium, Refined Kitten) has been carrying out widespread cyber attacks since February 2023. The group has targeted thousands of organizations in the USA and other countries. Notably, the hackers have shown a particular interest in the defense sectors, satellite technologies, and pharmaceutical industries.

Apt33 employs a method called Password Spraying, which involves attempting to gain access to multiple accounts using one password or a list of common passwords. This approach differs from the Buborsat technique, where a single account is attacked using a large password list. By using Password Spraying, the hackers can significantly increase their chances of success while minimizing the risk of automatic account blocking.

The hackers have also exploited vulnerabilities in unpatched Confluence and ManageEngine devices to infiltrate victims’ networks. Once inside, APT33 has utilized frameworks such as AzureHound and Roadtools for reconnaissance in Azure Active Directory and extracting data from victims’ cloud storage. Additionally, the hackers have leveraged compromised Azure accounting data to create new Azure ARC subscriptions or gain control over devices within the victims’ networks.

Based on the targeted victims and observed activities, Microsoft experts have concluded that the campaign is likely being carried out to gather intelligence in favor of Iran.

Iranian cybercriminals have been responsible for some of the most devastating cyber attacks in the past decade, causing widespread destruction to computer networks across the Middle East and the United States. In response, Microsoft has conducted a detailed analysis of Iranian hacker activities to gain insights into their structure, objectives, and capabilities.

In a recent development, the Iranian hacker group Black Reward, previously known for targeting the Iranian government, has announced a new attack aimed at a popular financial application used by millions of Iranians for digital transactions.

/Reports, release notes, official announcements.