Microsoft has uncovered a series of cyber attacks carried out by APT33, also known as PEACH SANDSTORM, HOLMIM, ELFIN, and MAGIC HOUND. These attacks primarily target organizations in the space industry, defense, and pharmaceutical sectors.
The APT33 group has been active since 2013, initially focusing on the aviation industry and energy companies involved in petrochemical production. Most of their targets were located in the Middle East, but incidents in the USA, South Korea, and Europe were also reported.
Between February and July 2023, the hackers conducted attacks against numerous organizations worldwide. According to Microsoft, the initial stage of the attacks likely involved gathering intelligence information on behalf of Iran.
The attackers employed a technique known as “password spraying” to bypass automatic account blocking typically triggered after multiple unsuccessful login attempts. This method involves using the same password combination across a large number of accounts. Once successful authentication was achieved, the hackers utilized various tools to search for valuable information within compromised systems.
Anonymity was a key aspect of this campaign, as the attackers employed TOR IP addresses and a specific user agent called “Go-HTTP-CLEANT” to complicate identification and tracking.
APT33 also utilized the AzureHound and Roadtools tools to gather intelligence through Microsoft Entra ID (formerly Azure Active Directory). By installing the Azure ARC client on compromised devices and connecting them to an Azure subscription controlled by the group, APT33 was able to monitor devices within the organization’s local network from the cloud.
In addition, the group attempted to exploit vulnerabilities in Zoho Manageengine (cve-2022-47966) and Atlassian Confluence (cve-2022-26134) products to gain access to targeted systems.