Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Social Engineering
Iranian Hackers Targeting Middle East Experts
Tehran-Aligned Group Mint Sandstorm Uses Israel-Hamas Conflict as a LureHackers aligned with the Iranian state are masquerading as journalists to target Israel-Hamas war experts and deploy a new custom backdoor that supports the Iranian government's spying agenda.
See Also: OnDemand | 2024 Phishing Insights: What 11.9 Million User Behaviors Reveal About Your Risk
"High-profile" figures tracking Middle Eastern affairs from Belgium, France, Gaza, Israel, the United Kingdom and the United States are prime targets, Microsoft's threat intelligence team said Wednesday. Victims receive bespoke phishing lures related to the Israel-Hamas conflict from supposed journalists and other high-profile individuals. Operators build trust with the targets before attempting to deliver malware.
"It's possible this campaign is an attempt to gather perspectives on events related to the war from individuals across the ideological spectrum," Microsoft said.
The Redmond giant called the group, which it tracks as Mint Sandstorm - also known as Charming Kitten - "technically and operationally mature" due to its connection with the intelligence arm of the Islamic Revolutionary Guard Corps.
Mint Sandstorm's latest campaign included use of a novel backdoor malware dubbed MediaPl, which masquerades as Windows Media Player. The backdoor is capable of sending encrypted communication to its command-and-control server. It can also pause and retry communications and shut itself down.
Microsoft observed another Mint Sandstorm PowerShell-based backdoor malware, dubbed MischiefTut, which facilitates the deployment of additional tools and provides reconnaissance. MischiefTut enables threat actors to execute commands on compromised systems and transmit the results to servers controlled by the attackers.
This Iranian threat actor regularly updates its malware arsenal to support espionage activities and uses bespoke phishing lures to trick targets (see: Iranian APT Group Charming Kitten Updates Powerstar Backdoor).
The threat actor is historically "known to conduct resource-intensive social engineering campaigns that target journalists, researchers, professors, or other individuals with insights or perspective on security and policy issues of interest to Tehran," Microsoft said.
German intelligence warned in August 2023 of an increase in Iranian espionage. Cybersecurity firm Eset in a September report said Mint Sandstorm had used a then-previously unseen backdoor to target at least 32 organizations in Israel (see: Iranian Hackers 'Ballistic Bobcat' Deploy New Backdoor).