Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Iranian Hackers Peach Sandstorm Are Delivering New Backdoor

FalseFont Backdoor Enables Attackers to Remotely Connect to a Compromised System
Iranian Hackers Peach Sandstorm Are Delivering New Backdoor
Iranian state hackers tracked as Peach Sandstorm are using a newly developed backdoor. (Image: Shutterstock)

Microsoft said Iranian state hackers are using a newly developed backdoor to target organizations in the American defense industrial base.

See Also: 2020 Report: Breach Exposure of Fortune 1000 Employees - by Sector

The Iranian state threat actor that Microsoft tracks as Peach Sandstorm employed a custom backdoor named FalseFont, which features several capabilities that empower backdoor operators to remotely connect to a compromised system, initiate the execution of supplementary files, and transmit data to attacker-controlled servers.

Researchers first spotted the custom backdoor in early November 2023, Microsoft said Wednesday. The defense industrial base encompasses a broad range of industries that contribute to national military capabilities, including aerospace, technology and manufacturing.

Between February and July, the nation-state hacker carried out a wave of password-spraying attacks against thousands of targets, the computing giant reported.

Microsoft earlier tracked the group as Holmium, and it is also known as APT33 and Refined Kitten.

Password spraying is not a sophisticated technique. It's a variant of brute force attacks in which attackers attempt to guess a single account's password. The spraying involves entering the same password guess into several accounts to avoid account lockout and betting that at least one user has a previously used password or one that is easy to guess.

"The development and use of FalseFont is consistent with Peach Sandstorm activity observed by Microsoft over the past year, suggesting that Peach Sandstorm is continuing to improve their tradecraft," Microsoft said.

The increasing sophistication of Iranian hackers is a warning Microsoft has sounded before, writing in September that Tehran threat actors are turning zero-day disclosures into exploits within a matter of days, or even hours. Peach Sandstorm conforms with Iranian state hackers' reputation for leaning heavily on phishing, credential stuffing and other social engineering techniques as initial attack vectors, but some of its activity after gaining initial access has been "stealthy and sophisticated," Microsoft said (see: Iranian Hackers Gain Sophistication, Microsoft Warns).

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.