The Iranian government-backed hacking group known as APT 33 has been active for more than 10 years, conducting aggressive espionage operations against a diverse array of public and private sector victims around the world, including critical infrastructure targets. And while the group is particularly known for strategic but technically simple attacks like “password spraying,” it has also dabbled in developing more sophisticated hacking tools, including potentially destructive malware tailored to disrupt industrial control systems. Now, findings from Microsoft released on Wednesday indicate that the group is continuing to evolve its techniques with a new multistage backdoor.
Microsoft Threat Intelligence says that the group, which it calls Peach Sandstorm, has developed custom malware that attackers can use to establish remote access into victim networks. The backdoor, which Microsoft named “Tickler” for some reason, infects a target after the hacking group gains initial access via password spraying or social engineering. Beginning in April and as recently as July, the researchers observed Peach Sandstorm deploying the backdoor against victims in sectors including satellite, communications equipment, and oil and gas. Microsoft also says that the group has used the malware to target federal and state government entities in the United States and the United Arab Emirates.
“We are sharing our research on Peach Sandstorm’s use of Tickler to raise awareness of this threat actor’s evolving tradecraft,” Microsoft Threat Intelligence said on Wednesday in its report. “This activity is consistent with the threat actor’s persistent intelligence gathering objectives and represents the latest evolution of their longstanding cyber operations.”
The researchers observed Peach Sandstorm deploying Tickler and then manipulating victim Azure cloud infrastructure using the hackers’ Azure subscriptions to gain full control of target systems. Microsoft says that it has notified customers who were impacted by the targeting the researchers observed.
The group has also continued its low-tech password spraying attacks, according to Microsoft, in which hackers attempt to access many target accounts by guessing leaked or common passwords until one lets them in. Peach Sandstorm has been using this technique to gain access to target systems both to infect them with the Tickler backdoor and for other types of espionage operations. Since February 2023, the researchers say they have observed the hackers “carrying out password spray activity against thousands of organizations.” And in April and May 2024, Microsoft observed Peach Sandstorm using password spraying to target United States and Australian organizations that are in the space, defense, government, and education, sectors.
“Peach Sandstorm also continued conducting password spray attacks against the educational sector for infrastructure procurement and against the satellite, government, and defense sectors as primary targets for intelligence collection,” Microsoft wrote.
The researchers say that, in addition to this activity, the gang has been continuing its social engineering operations on the Microsoft-owned professional social network LinkedIn, which they say date back to at least November 2021 and have continued into mid-2024. Microsoft observed the group setting up LinkedIn profiles that purport to be students, software developers, and talent acquisition managers who are supposedly based in the US and Western Europe.
“Peach Sandstorm primarily used [these accounts] to conduct intelligence gathering and possible social engineering against the higher education, satellite sectors, and related industries,” Microsoft wrote. “The identified LinkedIn accounts were subsequently taken down.”
Iranian hackers have been prolific and aggressive on the international stage for years and have shown no signs of slowing down. Earlier this month, reports surfaced that a different Iranian group has been targeting the 2024 US election cycle, including attacks against both the Trump and Harris campaigns.