Microsoft has reported that an Iranian-backed threat group has been conducting extensive password spray attacks since February 2023, targeting thousands of organisations in the US and worldwide. The campaign, which involved sophisticated cloud-based tactics, was allegedly aimed at gathering intelligence in support of Iranian interests. In the report, it is asserted that sensitive data was successfully stolen from a select few victims operating within the defense, satellite, and pharmaceutical sectors.
Known as APT33 (also known as Peach Sandstorm, HOLMIUM, or Refined Kitten), this cyberespionage group has been operational since 2013, targeting organisations across different industries w in the United States, Saudi Arabia, and South Korea.
Between February and July 2023, the Microsoft Threat Intelligence team detected a series of password spray attacks conducted by Peach Sandstorm. These attacks specifically targeted organisations in the US. Password spraying involves attempting a single password or a list of commonly used passwords on multiple accounts, increasing the likelihood of gaining unauthorised access. The attackers also took advantage of vulnerabilities in Confluence and ManageEngine appliances to infiltrate networks. Once inside, they leveraged open-source security frameworks and compromised Azure credentials to gather information and gain control over devices within the victims' networks.
APT33 actors used various techniques, including Golden SAML attacks, AnyDesk for persistence, sideloading custom DLLs, and EagleRelay for tunnelling malicious traffic to their command-and-control infrastructure.
Last year, the NSA reported that the Russian APT28 group used password spray attacks against US government agencies. Similarly, in October 2021, Microsoft observed password spray attacks conducted by Iranian and Russian hacking groups against defence tech companies and managed service providers.