The Iranian government-supported hacking group Mint Sandstorm has been targeting critical infrastructure in the U.S. between late 2021 and mid-2022. According to Microsoft Threat Intelligence, the group is technically and operationally mature, aligning with Iran’s national priorities.
Mint Sandstorm’s targets
Mint Sandstorm has targeted entities such as seaports, energy companies, transit systems, and major U.S. utility and gas companies. These attacks are believed to be retaliation for previous attacks on Iran’s maritime, railway, and gas station payment systems between May 2020 and late 2021. Iran has accused the U.S. and Israel of orchestrating these attacks to create unrest.
Previously known as Phosphorus, Mint Sandstorm has other names, including APT35, Charming Kitten, ITG18, TA453, and Yellow Garuda. The group is associated with the Islamic Revolutionary Guard Corps (IRGC), unlike MuddyWater, which is linked to Iran’s Ministry of Intelligence and Security (MOIS).
Adapting tactics and techniques
Mint Sandstorm has shown a propensity for refining its tactics in highly-targeted phishing campaigns. They quickly adopt proof-of-concepts (PoCs) related to flaws in internet-facing applications for initial access and persistence. Not only newly disclosed vulnerabilities but also older ones like Log4Shell are exploited by the group.
Following a successful breach, the hackers actively deploy a custom PowerShell script and activate one of the two available attack chains. Firstly, the initial chain employs extra PowerShell scripts to connect to a remote server and pilfer Active Directory databases. Secondly, the alternative chain utilizes Impacket to establish a connection with an actor-controlled server and deploy a custom implant called Drokbk and Soldier, which is a multistage .NET backdoor.
Drokbk was previously detailed by Secureworks Counter Threat Unit (CTU) in December 2022, attributed to Nemesis Kitten, a sub-cluster of Mint Sandstorm.
Low-volume phishing campaigns
Microsoft pointed out the group’s low-volume phishing campaigns. These campaigns result in the deployment of a custom, modular backdoor called CharmPower. This PowerShell-based malware reads files, gathers host information, and exfiltrates the data.
Mint Sandstorm’s capabilities are alarming. They allow operators to hide command and control (C2) communication. Additionally, they can maintain persistence in compromised systems and use diverse post-compromise tools.
{{user}} {{datetime}}
{{text}}