The image shows a person holding a smartphone displaying a message labeled with a large red stamp that says 'SCAM!'

Executive Summary:

Throughout 2024, there have been multiple sophisticated cyber campaigns targeting space organizations and related technologies. These attacks are often driven by the desire of nation states to gain a competitive advantage through access to sensitive information and technology exchange. One of the most prominent threat groups involved in these activities is Peach Sandstorm, an Iranian-sponsored actor known for its sophisticated cyber espionage operations. Peach Sandstorm has made significant strides in its operational capabilities, particularly in targeting the aerospace sector, deploying customized malware, and utilizing advanced social engineering tactics.

On 28 August 2024, Microsoft Defender Threat Intelligence released a detailed report on Peach Sandstorm’s latest campaign. This operation saw the deployment of a new multi-stage backdoor malware dubbed “Tickler”, used to target entities in multiple sectors, including satellite and communications. This latest campaign marks the third instance of space-targeting by this group between September 2023 and August 2024 and underscores the continued development of unique backdoors by Peach Sandstorm and other threat groups.

Attack Pattern:

Historically, Peach Sandstorm has employed password spraying in combination with social engineering tactics, often leveraging professional networking platforms like LinkedIn to trick individuals into revealing login credentials. For instance, in March 2024, researchers observed Peach Sandstorm (tracked under the alias Curious Serpens) using phishing lures aimed at job seekers in the aerospace and defense sectors. These lures were part of a broader strategy that ultimately led to the deployment of backdoor malware known as “FalseFont”. Peach Sandstorm’s prolonged activity has led the group to be classified as an advanced persistent threat (APT 33) by Mandiant.

In its most recent campaign, Peach Sandstorm has refined its tactics, techniques, and procedures (TTPs), incorporating the use of Microsoft Azure infrastructure for command and control (C2) services. This shift underscores the growing trend among sophisticated threat actors to exploit cloud services for malicious activities. This adaptation demonstrates Peach Sandstorm’s ability to evolve its approach in response to emerging technologies and defenses.

Overall, Peach Sandstorm’s recent operations have primarily focused on organizations operating in the aviation and satellite sectors, both in military and commercial contexts. Their choice of high-value targets suggests the group’s operations are designed to facilitate intelligence collection in support of state interests.

Tickler Malware:

The Tickler malware, central to Peach Sandstorm’s latest campaign, is a customized, multi-stage backdoor designed to download additional malware onto compromised systems. The payloads deployed by Tickler are capable of performing various malicious activities, including collecting system information, executing commands, deleting files, and facilitating data exfiltration to a C2 server. This malware represents a significant advancement in Peach Sandstorm’s capabilities, demonstrating the group’s continued focus on developing sophisticated tools for espionage purposes.

Microsoft’s report also highlights Peach Sandstorm’s increased reliance on LinkedIn for intelligence gathering and social engineering attacks. These techniques, combined with password spraying and other TTPs, have become hallmarks of Peach Sandstorm’s operations, allowing the group to successfully infiltrate and compromise high-value targets.

History of Space Sector Targeting:

Peach Sandstorm’s interest in the aerospace sector is not new. Beginning in 2016 and continuing into 2017, the group, known at the time as APT33, expanded its targeting to include aerospace and aviation-related organizations. During this period, they also targeted the petrochemical sector, using spear phishing emails designed to lure recipients with job vacancy announcements. These emails contained malicious attachments that, when opened, initiated a sequence of infections. In 2023, Microsoft observed password spray attacks targeting thousands of organizations that were directly attributable to Peach Sandstorm.

Between April and July 2024, Peach Sandstorm conducted the aforementioned cyber espionage campaign that leveraged Microsoft’s Azure infrastructure for C2 purposes. During this period, the group also conducted password spray attacks targeting the educational sector for infrastructure procurement, while focusing on the satellite, government, and defense sectors for intelligence gathering. The group also relied on social engineering efforts in attacks against organizations in the higher education, satellite, and defense sectors, targeting victims via the LinkedIn professional networking platform.

Table 1: Peach Sandstorm Targeting History

Time Period Campaign Details
Apr – Jul 2024 Peach Sandstorm deployed “Tickler” backdoor in attacks against satellite, communications equipment, oil and gas, and government sectors in the United States and United Arab Emirates.
Dec 2023 – Mar 2024 *Curious Serpens threat actors deployed “FalseFont” backdoor by mimicking legitimate HR software and impersonating an aerospace organization.
Feb – Sep 2023 Peach Sandstorm targeted global satellite, defense, and pharmaceutical sectors in a series of password spraying attacks.
Mar 2023 Peach Sandstorm conducted a Golden SAML (security assertion markup language) attack to bypass authentication and access a target’s cloud resources.
2018 – 2019 *HOLMIUM conducted a series of cloud-based attacks against multiple organizations through password spray activities, exploitation of CVE-2017-11774, and the abuse of Microsoft Exchange services.
2016 – 2017 *APT33 targeted aerospace and energy sectors headquartered in the United States, Saudi Arabia and South Korea via destructive malware.
* Indicates alias of Peach Sandstorm threat group

Conclusion:

Peach Sandstorm’s continued targeting of the aerospace sector underscores the persistent and evolving nature of Iranian cyber espionage operations. The group’s ability to adapt its tactics, such as the use of cloud infrastructure for C2 operations and the deployment of customized malware like Tickler, highlights the growing sophistication of state-sponsored threat actors. Organizations looking to stay vigilant of these threats can review best practices for protecting against password spray attacks, as well as indicators of compromise (IOCs) associated with the Tickler Backdoor via Microsoft’s recent publication.