Iranian hackers ‘tickle’ targets in US, UAE with custom tool, Microsoft says
Iranian government-connected hackers are deploying custom malware to compromise targets in the satellite, oil and gas, communications and government sectors in the United States and United Arab Emirates, according to research Microsoft published on Wednesday.
It’s the latest evidence of ever-expanding Iranian aggression in cyberspace, coming shortly after revelations about how hackers from the country have targeted both parties in the 2024 U.S. presidential race.
The group that’s at the center of Wednesday’s report — which Microsoft calls Peach Sandstorm but is also known as APT33 and Refined Kitten, among other monikers — very recently deployed the custom backdoor malware dubbed Tickler. Microsoft observed Tickler activity from April to July. It relies on infrastructure from Microsoft’s own Azure cloud computing platform, using fraudulent, attacker-controlled subscriptions.
“Microsoft assesses that Peach Sandstorm operates on behalf of the Iranian Islamic Revolutionary Guard Corps (IRGC) based on the group’s victimology and operational focus,” the company said in its report. “Microsoft further assesses that Peach Sandstorm’s operations are designed to facilitate intelligence collection in support of Iranian state interests.”
The Tickler attacks follow recent password spray attacks, which seek to use common passwords to compromise a wide array of accounts. Peach Sandworm has a history of using that method to penetrate targets, and Microsoft saw such attacks as recently as April and May. Microsoft said the group targeted the defense, space, education, and government sectors in the United States and Australia.
The attacks appear to have had some success. “In the past year, Peach Sandstorm has successfully compromised several organizations, primarily in the aforementioned sectors using bespoke tooling,” the report states.
Government agencies and industry have been devoting more attention to the space sector, although some think they should be taking other steps to protect it.
The Iranian government routinely denies any connection to overseas hacking operations.