Microsoft: US critical infrastructure facing cyberattacks by Iranian-linked hacking group
The hacking group is also known as APT35, Charming Kitten, ITG18, TA453, and Yellow Garuda.
Microsoft has discovered that a subgroup of the Iran-linked hacking group Mint Sandstorm, previously known as PHOSPHORUS, has been conducting cyberattacks on critical infrastructure in the USA, likely as a retaliation for the cyberattacks on Iran’s infrastructure in 2021, which Iran attributed to the USA and Israel.
The group would gain initial access to an organisation by exploiting a vulnerability with public proof-of-concept (POCs). It would then run custom PowerShell script for discovery to catalogue the devices in the network. Two attack chains would followed, where hackers would ultimately obtained the Active Directory database used to access credentials for users’ accounts (attack chain 1) or deployed a custom malware variant, such as Drokbk or Soldier (attack chain 2). These custom malware is a signal that this group is increasingly sophisticated.
The two attack chains used by the Mint Sandstorm subgroup. Source: Microsoft Threat Intelligence
Since this group exploits the publicly available POCs, Microsoft recommends organisations regularly patch vulnerabilities with publicly available POCs.
It is alleged that the Phosphorous hacking group works for the Iranian government and is linked to the Islamic Revolutionary Guard Corps (IRGC).