Iran-linked APT33 targets Defense Industrial Base sector with FalseFont backdoor

Pierluigi Paganini December 25, 2023

Microsoft reports that the Iran-linked APT33 group is targeting defense contractors worldwide with FalseFont backdoor.

Microsoft says the APT33 (aka Peach Sandstorm, HolmiumElfin, and Magic Hound) Iranian cyber-espionage group is using recently discovered FalseFont backdoor malware to attack against organizations in the Defense Industrial Base (DIB) sector.

“Microsoft has observed the Iranian nation-state actor Peach Sandstorm attempting to deliver a newly developed backdoor named FalseFont to individuals working for organizations in the Defense Industrial Base (DIB) sector.” reads the report published by Microsoft.

The APT33 group has been around since at least 2013, since mid-2016, the group targeted the aviation industry and energy companies with connections to petrochemical production. Most of the targets were in the Middle East, others were in the U.S., South Korea, and Europe. 

The use of FalseFont is a trademark of APT33’s operations and confirms that the nation-state actor continues to improve its arsenal. The custom backdoor supports a wide range of functionalities that allow attackers to remotely control infected systems and harvest sensitive information.

The recent attacks involving FalseFont were first observed in early November 2023.

In September 2023, Microsoft researchers observed a series of password spray attacks conducted by Iran nation-state actors as part of a campaign named Peach Sandstorm.

The campaign targeted thousands of organizations worldwide between February and July 2023. The cyber espionage activity attacks are aimed at organizations in the satellite, defense, and pharmaceutical sectors.

“Since February 2023, Microsoft has observed password spraying activity against thousands of organizations carried out  by an actor we track as Peach Sandstorm (HOLMIUM). Peach Sandstorm is an Iranian nation-state threat actor who has recently pursued organizations in the satellite, defense, and pharmaceutical sectors around the globe.” reads the report published by Microsoft. “Microsoft assesses that this initial access campaign is likely used to facilitate intelligence collection in support of Iranian state interests.”

Password spraying is a type of brute force attack where the attackers carry out brute force logins based on a list of usernames with default passwords on the application. In this attack scenario, threat actors use one password against many different accounts on the application to avoid account lockouts that would normally trigger when brute forcing a single account with many passwords.

Once authenticated to an account, Peach Sandstorm threat actors used publicly available and custom tools to look for information of interest, to maintain persistence, and perform lateral movement. In a limited number of intrusions, the threat actors were observed exfiltrating data from the compromised environment.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, APT33)

you might also like

leave a comment