The Iranian government-backed hacking group known as APT 33 has been active for more than 10 years, carrying out aggressive espionage operations against a wide range of public and private sector victims around the world, including critical infrastructure targets. And while the group is particularly known for strategic but technically simple attacks like “password spraying,” it has also dabbled in developing more sophisticated hacking tools, including potentially destructive malware designed to disrupt industrial control systems. Now, Microsoft findings released Wednesday indicate the group is continuing to evolve its techniques with a new multi-stage backdoor.
Microsoft Threat Intelligence says the group, which it calls Peach Sandstorm, has developed custom malware that attackers can use to establish remote access to victims’ networks. The backdoor, which Microsoft called “Tickler” for some reason, infects a target after the hacking group gains initial access through password spraying or social engineering. Beginning in April and continuing into July, researchers observed Peach Sandstorm deploying the backdoor against victims in industries including satellites, communications equipment, and oil and gas. Microsoft also says the group has used the malware to target federal and state government entities in the United States and the United Arab Emirates.
“We are sharing our research into Peach Sandstorm’s use of Tickler to raise awareness about the evolving marketing techniques of this threat actor,” Microsoft Threat Intelligence He said in his report on Wednesday“This activity is consistent with the threat actor’s ongoing intelligence gathering objectives and represents the latest evolution of its long-standing cyber operations.”
Researchers observed Peach Sandstorm deploy Tickler and then manipulate the victim’s Azure cloud infrastructure using the hackers’ Azure subscriptions to gain full control of the targeted systems. Microsoft says it has notified customers who were affected by the attacks the researchers observed.
The group has also continued its low-tech password spraying attacks, according to Microsoft, in which hackers attempt to access many target accounts by guessing leaked or common passwords until one lets them in. Peach Sandstorm has been using this technique to gain access to target systems both to infect them with the Tickler backdoor and for other types of espionage operations. Since February 2023, researchers say they have observed the hackers “conducting password spraying activities against thousands of organizations.” And in April and May 2024, Microsoft observed Peach Sandstorm using password spraying to attack organizations in the United States and Australia that are in the space, defense, government, and education sectors.
“Peach Sandstorm also continued to conduct password spraying attacks against the education sector for infrastructure acquisition and against the satellite, government, and defense sectors as primary targets for intelligence gathering,” Microsoft wrote.
Researchers say that in addition to this activity, the gang has also continued its social engineering operations on the Microsoft-owned professional social network LinkedIn, which they say date back to at least November 2021 and have continued into mid-2024. Microsoft observed the group creating LinkedIn profiles purporting to be of students, software developers, and talent acquisition managers who were supposedly based in the United States and Western Europe.
“Peach Sandstorm primarily used[these accounts]to gather intelligence and perform social engineering against higher education, satellite, and related industries,” Microsoft wrote. “The identified LinkedIn accounts were subsequently deleted.”
Iranian hackers have been prolific and aggressive on the international stage for years and have shown no signs of slowing down. Earlier this month, reports emerged that another Iranian group has been targeting the 2024 US election cycle, including attacks against the Trump and Harris campaigns.