Iranian threat actor caught carrying out password spray activity against thousands of organizations

Iranian nation-state threat actor Peach Sandstorm (HOLMIUM) has been conducting password spray campaigns to target thousands of organizations in multiple countries. In the past, the threat actor was caught targeting organizations in the aviation, construction, defense, education, energy, financial services, healthcare, government, satellite, and telecommunications sectors globally, however, it recently pursued organizations in the satellite, defense, and pharmaceutical sectors.

According to the latest findings from Microsoft, this campaign is likely used to facilitate intelligence collection in support of Iranian state interests.

"In cases where Peach Sandstorm successfully authenticated to an account, Microsoft observed the group using a combination of publicly available and custom tools for discovery, persistence, and lateral movement. In a small number of intrusions, Peach Sandstorm was observed exfiltrating data from the compromised environment," Microsoft revealed in a report published on Thursday.

In past operations, Peach Sandstorm was found to be relying heavily on password spray attacks - a technique where threat actors attempt to authenticate to many different accounts using a single password or a list of commonly used passwords - to access targets' environments.

Unlike password spray operations which are noisy, a subset of Peach Sandstorm’s 2023 post-compromise activity has been stealthy and sophisticated. Many of the cloud-based tactics, techniques, and procedures (TTPs) seen in these most recent campaigns are materially more sophisticated than capabilities used by the group in the past, Microsoft said.

Between February and July 2023, Peach Sandstorm carried out a wave of password spray attacks attempting to authenticate to thousands of environments. The threat actor also attempted to exploit vulnerable internet-facing applications to gain access to targets' environments.

"As Peach Sandstorm increasingly develops and uses new capabilities, organizations must develop corresponding defenses to harden their attack surfaces and raise costs for these attacks. Microsoft will continue to monitor Peach Sandstorm activity and implement robust protections for our customers," the tech giant said.