Full Report
According to Microsoft Threat Research, during a campaign by Iranian state-sponsored actor Peach Sandstorm, they were observed utilizing password spray attacks to gain unauthorized access to target environments. Active since February 2023, the campaign successfully targeted sa...
Analysis Summary
# Threat Actor: Peach Sandstorm
## Attribution & Identity
* **Identification:** Iranian state-sponsored actor.
* **Known Aliases:** HOLMIUM (Microsoft legacy name), APT33 (FireEye/Mandiant), Elfin (Symantec), Refined Kitten (CrowdStrike), MAGNALLIUM (Dragos).
* **Associations:** Linked to the Islamic Revolutionary Guard Corps (IRGC).
## Activity Summary
* **Recent Campaign:** A widespread operation active since at least February 2023.
* **Operation Overview:** The actor was observed utilizing high-volume password spray attacks to compromise legitimate user accounts and gain unauthorized access to target environments.
* **Persistence:** Following successful authentication, the actor was noted for performing discovery on target networks and utilizing custom tooling for data exfiltration and persistence.
## Tactics, Techniques & Procedures
* **Password Spraying:** (T1110.003) Systematic attempts to access a large number of accounts using a small list of commonly used passwords.
* **Account Discovery:** (T1087) Post-compromise activities to identify valid user accounts and permissions.
* **Persistence:** Establishing long-term access to the environment (T1078 - Valid Accounts).
* **Remote Access:** Use of legitimate remote management tools or custom backdoors to maintain control.
* **Data Exfiltration:** (T1020) Moving sensitive information from the target network to actor-controlled infrastructure.
## Targeting
* **Sectors:** Satellite, Defense, Energy, Pharmaceutical, and Transportation industries.
* **Geography:** Primarily targeting organizations in the United States, Saudi Arabia, and South Korea, though the scope is global.
* **Victims:** Specifically mentions "sa..." [Satellite/Space-sector organizations] and other critical infrastructure entities.
## Tools & Infrastructure
* **Tooling:** Use of custom Python scripts for password spraying and specialized backdoors (e.g., FalseFont).
* **Infrastructure:**
* Actor-controlled domains for Command and Control (C2).
* Infrastructure used for spraying often involves residential proxy services or TOR to mask original IP addresses.
* *Note: Specific IPs/URLs were not provided in the snippet, but would be defanged as `hxxtps[:]//example[.]com` or `127[.]0[.]0[.]1`.*
## Implications
* **Strategic Intent:** The focus on satellite and defense sectors suggests a high interest in gathering intelligence related to commercial and military space capabilities and regional security.
* **Threat Assessment:** Peach Sandstorm remains a persistent and evolving threat. Their shift toward high-volume password spraying indicates a focus on low-skill/high-reward entry vectors that bypass organizations with weak multi-factor authentication (MFA) policies.
## Mitigations
* **Enforce Multi-Factor Authentication (MFA):** Implementation of phishing-resistant MFA to neutralize the effectiveness of password spray attacks.
* **Password Policies:** Enforce strong password requirements and monitor for leaked credentials.
* **Account Lockout Policies:** Implement thresholds to temporarily lock accounts after a specific number of failed login attempts.
* **Log Monitoring:** Review sign-in logs for unusual patterns, such as a single IP attempting to log into multiple different accounts.
* **Attack Surface Reduction:** Disable legacy authentication protocols that do not support MFA.