A group backed by the Iranian government, dubbed Mint Sandstorm, has been connected to cyber-attacks targeting critical US infrastructure from late 2021 to mid-2022. Microsoft’s Threat Intelligence team stated that this subgroup is skilled and operationally mature, capable of swiftly developing custom tools and exploiting N-day vulnerabilities. The group’s focus appears to align with Iran’s national priorities.
The targeted organizations include seaports, energy firms, transit systems, and a major US utility and gas company. The suspected motive for these attacks is retaliation for cyber-attacks on Iranian maritime, railway, and gas station payment systems that occurred from May 2020 to late 2021. Iran accused Israel and the US of orchestrating the gas station attacks to create unrest in the country.
Mint Sandstorm was previously identified as Phosphorus, APT35, Charming Kitten, ITG18, TA453, and Yellow Garuda. Microsoft has adopted a weather-themed naming system for threat actors due to the growing complexity, scale, and volume of threats. Unlike MuddyWater (Mercury or Mango Sandstorm), which is associated with Iran’s Ministry of Intelligence and Security, Mint Sandstorm is believed to be linked to the Islamic Revolutionary Guard Corps.
The cyber-attacks reveal the group’s ability to continuously refine their tactics through highly-targeted phishing campaigns to access target environments. These attacks involve rapidly adopting proofs-of-concept (PoCs) related to vulnerabilities in internet-facing applications (e.g., CVE-2022-47966 and CVE-2022-47986) for initial access and persistence.
Upon a successful breach, a custom PowerShell script is deployed, activating one of two attack chains. The first chain uses more PowerShell scripts to connect to a remote server and steal Active Directory databases, while the second chain employs Impacket to connect to an attacker-controlled server and deploy custom implants called Drokbk and Soldier. A soldier is a multistage .NET backdoor with the ability to download and run tools and uninstall itself. Drokbk was previously detailed by Secureworks Counter Threat Unit (CTU) in December 2022, attributing it to Nemesis Kitten (aka Cobalt Mirage, TunnelVision, or UNC2448), a sub-group of Mint Sandstorm.
Microsoft also highlighted the threat actor’s low-volume phishing campaigns that lead to the deployment of a third custom and modular backdoor called CharmPower. This PowerShell-based malware can read files, collect host information, and exfiltrate the data. The capabilities observed in intrusions attributed to Mint Sandstorm are concerning as they enable operators to conceal command and control (C2) communication, maintain persistence in compromised systems, and deploy a variety of post-compromise tools with different capabilities, according to the tech giant.