Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Social Engineering

Iranian Hackers Targeting Middle East Experts

Tehran-Aligned Group Mint Sandstorm Uses Israel-Hamas Conflict as a Lure
Iranian Hackers Targeting Middle East Experts
The Milad Tower in downtown Tehran, Iran, in a photo taken on Aug. 2, 2023 (Image: Shutterstock)

Hackers aligned with the Iranian state are masquerading as journalists to target Israel-Hamas war experts and deploy a new custom backdoor that supports the Iranian government's spying agenda.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

"High-profile" figures tracking Middle Eastern affairs from Belgium, France, Gaza, Israel, the United Kingdom and the United States are prime targets, Microsoft's threat intelligence team said Wednesday. Victims receive bespoke phishing lures related to the Israel-Hamas conflict from supposed journalists and other high-profile individuals. Operators build trust with the targets before attempting to deliver malware.

"It's possible this campaign is an attempt to gather perspectives on events related to the war from individuals across the ideological spectrum," Microsoft said.

The Redmond giant called the group, which it tracks as Mint Sandstorm - also known as Charming Kitten - "technically and operationally mature" due to its connection with the intelligence arm of the Islamic Revolutionary Guard Corps.

Mint Sandstorm's latest campaign included use of a novel backdoor malware dubbed MediaPl, which masquerades as Windows Media Player. The backdoor is capable of sending encrypted communication to its command-and-control server. It can also pause and retry communications and shut itself down.

Microsoft observed another Mint Sandstorm PowerShell-based backdoor malware, dubbed MischiefTut, which facilitates the deployment of additional tools and provides reconnaissance. MischiefTut enables threat actors to execute commands on compromised systems and transmit the results to servers controlled by the attackers.

This Iranian threat actor regularly updates its malware arsenal to support espionage activities and uses bespoke phishing lures to trick targets (see: Iranian APT Group Charming Kitten Updates Powerstar Backdoor).

The threat actor is historically "known to conduct resource-intensive social engineering campaigns that target journalists, researchers, professors, or other individuals with insights or perspective on security and policy issues of interest to Tehran," Microsoft said.

German intelligence warned in August 2023 of an increase in Iranian espionage. Cybersecurity firm Eset in a September report said Mint Sandstorm had used a then-previously unseen backdoor to target at least 32 organizations in Israel (see: Iranian Hackers 'Ballistic Bobcat' Deploy New Backdoor).

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.