In recent months, a notorious Iranian-backed cyber-espionage group known as APT33, or Peach Sandstorm, has escalated its activities, targeting thousands of organizations worldwide. Microsoft's Threat Intelligence team has been closely monitoring the group's activities, shedding light on their sophisticated tactics and their focus on specific industries. This blog post delves into the details of APT33's operations, shedding light on their tactics, techniques, and the industries they've been targeting.
The Rise of APT33
APT33, also known by aliases like Peach Sandstorm, HOLMIUM, and Refined Kitten, has been an active threat since at least 2013. Over the years, they've launched attacks across various industry verticals, including government, defense, research, finance, and engineering, primarily in the United States, Saudi Arabia, and South Korea.
Recent Escalation: 2023 Campaign
Since February 2023, APT33 has embarked on an extensive campaign involving password spray attacks. In this type of attack, threat actors attempt to authenticate to numerous accounts using either a single password or a list of commonly used passwords. This approach significantly increases their chances of success while minimizing the risk of triggering automatic account lockouts, setting it apart from brute force attacks.
Targets and Sensitive Data
Among the victims, APT33 has prioritized organizations in the satellite, defense, and to a lesser extent, pharmaceutical sectors. Microsoft has identified instances where sensitive information was exfiltrated from entities within these sectors. This underscores the group's strategic focus on industries critical to national security and technological advancement.
Exploits and Sophisticated Techniques
In addition to password spraying, APT33 has shown a willingness to exploit vulnerabilities in unpatched Confluence and ManageEngine appliances that are exposed online. Once inside a network, they employ advanced tactics, such as using open-source security frameworks like AzureHound and Roadtools for reconnaissance and data harvesting in Azure Active Directory and cloud environments.
Furthermore, APT33 has demonstrated a high level of sophistication by utilizing compromised Azure credentials to create new subscriptions on victims' tenants. They have also abused Azure Arc for persistence, gaining control over on-premises devices within the targeted networks.
APT33's Arsenal
The group's toolkit includes techniques like Golden SAML attacks for lateral movement, deployment of AnyDesk for persistence, sideloading custom malicious DLLs for executing payloads, and leveraging a tunneling tool called EagleRelay to facilitate malicious traffic to their command-and-control infrastructure.
Implications and Future Trends
Microsoft's assessment suggests that APT33's initial access campaign is likely geared towards intelligence collection in support of Iranian state interests. Notably, the recent campaigns have demonstrated a marked increase in sophistication compared to their previous operations.
Conclusion
The resurgence of APT33 and their recent campaign highlight the evolving landscape of cyber threats, particularly in the realm of state-sponsored cyber-espionage. Organizations in the satellite, defense, and pharmaceutical sectors should remain vigilant and prioritize robust cybersecurity measures to safeguard their sensitive information. Collaboration between government agencies, cybersecurity firms, and the private sector is essential in countering such threats and ensuring a secure digital future.
