ShiftDelete.net
FOLLOW US

Iranian hackers target U.S. energy and transit: Mint Sandstorm

Iranian government-backed hackers Mint Sandstorm target US energy and transit systems in suspected retaliatory attacks.

Iranian hackers target U.S. energy and transit: Mint Sandstorm

The Iranian government-supported hacking group Mint Sandstorm has been targeting critical infrastructure in the U.S. between late 2021 and mid-2022. According to Microsoft Threat Intelligence, the group is technically and operationally mature, aligning with Iran’s national priorities.

Mint Sandstorm’s targets

Mint Sandstorm has targeted entities such as seaports, energy companies, transit systems, and major U.S. utility and gas companies. These attacks are believed to be retaliation for previous attacks on Iran’s maritime, railway, and gas station payment systems between May 2020 and late 2021. Iran has accused the U.S. and Israel of orchestrating these attacks to create unrest.

Previously known as Phosphorus, Mint Sandstorm has other names, including APT35, Charming Kitten, ITG18, TA453, and Yellow Garuda. The group is associated with the Islamic Revolutionary Guard Corps (IRGC), unlike MuddyWater, which is linked to Iran’s Ministry of Intelligence and Security (MOIS).

Adapting tactics and techniques

Mint Sandstorm has shown a propensity for refining its tactics in highly-targeted phishing campaigns. They quickly adopt proof-of-concepts (PoCs) related to flaws in internet-facing applications for initial access and persistence. Not only newly disclosed vulnerabilities but also older ones like Log4Shell are exploited by the group.

Following a successful breach, the hackers actively deploy a custom PowerShell script and activate one of the two available attack chains. Firstly, the initial chain employs extra PowerShell scripts to connect to a remote server and pilfer Active Directory databases. Secondly, the alternative chain utilizes Impacket to establish a connection with an actor-controlled server and deploy a custom implant called Drokbk and Soldier, which is a multistage .NET backdoor.

Drokbk was previously detailed by Secureworks Counter Threat Unit (CTU) in December 2022, attributed to Nemesis Kitten, a sub-cluster of Mint Sandstorm.

Low-volume phishing campaigns

Microsoft pointed out the group’s low-volume phishing campaigns. These campaigns result in the deployment of a custom, modular backdoor called CharmPower. This PowerShell-based malware reads files, gathers host information, and exfiltrates the data.

Mint Sandstorm’s capabilities are alarming. They allow operators to hide command and control (C2) communication. Additionally, they can maintain persistence in compromised systems and use diverse post-compromise tools.

Mint Sandstorm

SDN Comments 0 Comments

Comment

Related News

Porsche files patent for 6-stroke ICE design
Porsche files patent for 6-stroke ICE design
HTC Vive Focus Vision introduced! Here are the price and features
HTC Vive Focus Vision introduced! Here are the price and features
Real images of Nintendo Switch 2 leaked!
Real images of Nintendo Switch 2 leaked!

SDN Network

Sihirli Elma Yeşil Robot Tech Inside Pembe Teknoloji Co-Founder.Work Future Flow Life

SDN.net

1250 BORREGAS AVENUE, #40, SUNNYVALE, CA
94089 ShiftDelete.Net LLC

info@shiftdelete.net

Shiftdelete.Net is a member of the Association of Internet Media and IT Reporters.

Desteklio