Microsoft has released a report detailing recent activity by Mint Sandstorm, an Iranian state-sponsored hacking group, targeting high-profile academics and researchers working on Middle Eastern affairs. The report highlights new tactics and malware, signaling an escalation in capabilities.
According to Microsoft, since November 2023, a skilled subgroup within Mint Sandstorm has been carrying out spear-phishing attempts against individuals at universities and think tanks in several Western countries, Israel, and Gaza. The social engineering tactics are highly tailored to build trust before delivering sophisticated malware.
New capabilities observed include compromising legitimate email accounts to bolster credibility in phishing attempts. The attacks also leverage legitimate remote access tools such as NirCmd for post-exploitation activities, which could undermine trust in common software. Most notably, Microsoft analyzed a new custom malware dubbed MediaPl, which can exfiltrate data over encrypted channels.
"The campaign executed by Mint Sandstorm exhibits a high level of sophistication and strategic targeting," said Ngoc Bui, Cybersecurity Expert at Menlo Security. "The deployment of the custom backdoor MediaPl, along with the use of other tools like MischiefTut, signifies a shift in the operational tactics of Mint Sandstorm, marking an evolution in their cyber espionage capabilities."
The targeting of academics and researchers raises alarms around intellectual property theft and national security impacts. "The danger of these types of attacks, particularly when they are highly targeted and executed by a state-backed entity, is multifaceted," Bui explains. "This could include critical infrastructure, government agencies, or corporations, especially if their interests align with the geopolitical goals of the sponsoring state."
According to Balazs Greksza, Threat Response Lead at Ontinue, the Mint Sandstorm group (also known as APT35) aims to collect intelligence to support Iranian national security and geopolitical interests. "Intelligence goals may shift rapidly based on the needs of national interests, current political and military leadership, and their decision and intelligence needs," Greksza said.
Experts warn how sophisticated techniques could proliferate from geopolitical espionage campaigns to financially motivated cybercrime targeting a wider range of sectors like healthcare and manufacturing. "If such advanced techniques spread to other verticals, it could lead to an increased rate of successful attacks," explains Callie Guenther, Senior Manager, Cyber Threat Research, at Critical Start.
The takeaway is that while cyber defenses are aimed at digital threats, the consequences can impact geopolitics, research, critical systems, and lives. Going forward, public and private sector coordination on intelligence and resilience is crucial to mitigate the potential disruptions from groups like Mint Sandstorm and the shadows they cast. Robust security awareness and architecture will be the lights to counter looming threats before damage is done.
Follow SecureWorld News for more stories related to cybersecurity.