The Iranian government-backed hacker group known as APT 33 has been active for more than a decade, waging an aggressive espionage campaign against a range of public and private sector victims around the world, including critical infrastructure. The group is known especially for strategic but technically simple attacks like “password spraying,” but has also dabbled in developing more advanced hacking tools, such as destructive malware designed to disrupt industrial control systems. Now, according to findings released by Microsoft on Wednesday, the group continues to evolve its techniques with a new multi-stage backdoor.
According to Microsoft Threat Intelligence, the group, called Peach Sandstorm, developed custom malware that attackers can use to gain remote access to victim networks. The backdoor, which Microsoft has named “Tickler” for some reason, infects targets after the hacking group gains initial access through password spraying or social engineering. Between April and July, researchers observed Peach Sandstorm deploying the backdoor against victims in sectors including satellite, communications equipment, and oil and gas. Microsoft said the group has also used the malware to target federal and state government agencies in the United States and the United Arab Emirates.
“We are publishing our findings regarding Peach Sandstorm’s use of Tickler to raise awareness of this threat actor’s evolving modus operandi,” Microsoft Threat Intelligence said in a report on Wednesday. “This activity is consistent with the threat actor’s ongoing intelligence gathering objectives and represents the latest evolution of their long-standing cyber operations.”
The researchers observed Peach Sandstorm deploying Tickler and using the hackers’ Azure subscriptions to manipulate victims’ Azure cloud infrastructure and gain complete control over targeted systems. Microsoft said it has notified customers affected by the targeting the researchers observed.
According to Microsoft, the group also continues to employ low-tech password spraying attacks, in which hackers try to guess leaked or common passwords to gain access to many target accounts until one of them allows entry. Peach Sandstorm uses this technique to gain access to target systems and infect them with the Tickler backdoor, as well as for other types of espionage. Since February 2023, researchers have observed the hackers “performing password spraying activities against thousands of organizations.” And in April and May 2024, Microsoft observed Peach Sandstorm using password spraying to target U.S. and Australian organizations in the space, defense, government, and education sectors.
“Peach Sandstorm continues to conduct password-spraying attacks against the education sector for infrastructure procurement, and against the satellite, government, and defense sectors as a primary target for intelligence gathering,” Microsoft wrote.
In addition to this activity, the group has continued social engineering activity on LinkedIn, the Microsoft-owned professional social network, dating back to at least November 2021 and continuing through mid-2024, according to the researchers. Microsoft observed the group creating LinkedIn profiles posing as students, software developers, and talent acquisition managers based in the U.S. and Western Europe.
“Peach Sandstorm primarily used[these accounts]to conduct intelligence gathering and social engineering activities against individuals in higher education, satellite and related industries,” Microsoft wrote. “The identified LinkedIn accounts have since been removed.”
Iranian hackers have long been active and aggressive on the international stage, with no signs of slowing down. Earlier this month, reports emerged that another Iranian group is targeting the 2024 US presidential election cycle, including attacks on the Trump and Harris campaigns.
