Microsoft Accuses Iran of Large-Scale Attacks on US Infrastructure

Microsoft Threat Intelligence Team Discovers Iranian-Supported Attacks on US Critical Infrastructure

A recent report by the Microsoft Threat Intelligence team has revealed that the Iranian government supported attacks on the critical infrastructure of the United States from the end of 2021 to mid-2022. The attackers responsible for carrying out the heinous acts are the Mint Sandstorm group, which includes various sub-groups such as Phosphorus, Apt35, Charming Kitten, ITG18, TA453, and EULLWW.

According to the report, the technically advanced Mint Sandstorm group is capable of developing special tools and using zero-day vulnerabilities quickly. Additionally, they have shown flexibility in their operational activities, aligning with Iran’s national priorities.

The hackers targeted several objects, including sea ports, transit systems, energy and gas companies in the US. These attacks were believed to be in response to previous attacks on sea, railway and gas systems that occurred in 2020-2021.

Microsoft’s report described the attacks in detail, stating that Mint Sandstorm used publicly available POC vulnerabilities of web applications, such as CVE-2022-47966 and CVE-2022-47986, to gain initial access to their targets. Following that, they deployed a PowerShell user script that activated one of two attack chains.

The first attack chain involved additional PowerShell scripts that connected to a remote server and enabled the theft of Active Directory databases. The second attack chain used Impacket to connect to the C2 server, deploying the custom-made Drokbk and Soldier implants, which acted as multi-stage BECDOR tools that loaded and started other tools while also self-disposing themselves.

The report highlighted the Mint Sandstorm group’s advanced capabilities, including hiding behind C2-servers and deploying invisible multifunctional postcommunication tools, making it challenging to detect their actions.

Moreover, the Microsoft report noted that the Drokbk implant was previously attributed by SecureWorks to the Nemesis Kitten group, which is a subclass of the Mint Sandstorm group.

As attacks on the US’s critical infrastructure continue to rise, the need for robust cybersecurity measures remains urgent. The report recommended that organizations remain vigilant, update their IT infrastructure, and implement multi-factor authentication, to protect against attacks like these.

Source: Microsoft Threat Intelligence team

/Reports, release notes, official announcements.