The Microsoft Threat Intelligence Podcast 10.11.23
Ep 1 | 10.11.23

Peach Sandstorm


Sherrod DeGrippo: Welcome to The Microsoft Threat Intelligence Podcast. I'm Sherrod DeGrippo. Ever wanted to step into the shadowy realm of digital espionage, cybercrime, social engineering, fraud? Well, each week, dive deep with us into the underground. Come here for Microsoft's elite threat intelligence researchers. Join us as we decode mysteries, expose hidden adversaries and shape the future of cybersecurity. It might get a little weird, but don't worry. I'm your guide to the back alleys of the threat landscape. Hello, and welcome to another episode of The Microsoft Threat Intelligence podcast. I have an exciting group of really impressive subject matter experts. Today we're talking about Iran, APT. With me I have Simeon Kakpovi, senior threat intelligence analyst at Microsoft. I have Emiel Haeghebaert, senior hunt analyst; and Lauren Podber, senior fusion analyst. Welcome to the show, everyone. It's so nice to have you here.

Simeon Kakpovi: Thank you so much. We're excited to be here.

Sherrod DeGrippo: So I want to kind of jump right in because this is a topic that I find fascinating. Iran is one of those what we consider top four countries, right? Russia, China, North Korea, Iran, they kind of build out that APT heavy hitter list, right? And so I know that you released a blog called Peach Sandstorm password spray campaigns enable intelligence collection at high value targets. So this is what we want to talk about today is this blog that's come out and what that kind of means, what the impact is. And then we'll talk a little bit broader about Iran. So, Simeon, I've talked to you about Iran quite a bit in the past. So can you kind of give me a couple of pieces of information about Peach Sandstorm, specifically.

Simeon Kakpovi: Yeah. Of course. Peach Sandstorm is one of about 30 different Iranian threat actor groups that we track over here in Mystic. It's one that we've tracked since 2019 that was conducting password sprays, which is a very interesting technique because it was -- they were able to gain access to so many organizations that way. So they went dark right around the time that COVID happened. So we didn't see them for about three to four years. And they reappeared in 2023, more or less picking up where they left off a couple years ago so using some of the same infrastructure, using some of the same techniques, as well as targeting some of the exact same victims that they were going after four years ago. So it's a really interesting story of a threat actor group that's, you know, doing semi-interesting stuff, goes off the grid around the time COVID starts, and then just reappears a couple years later doing more or less the same things but with some interesting twists around it.

Sherrod DeGrippo: Okay. Cool. So I'm looking here, too, at this brief, and it looks like Peach Sandstorm has hit aviation, construction, defense, education, energy, financial, healthcare, government, satellite, telecom and then, in 2023, started focusing on things like the satellite defense and pharma. So can we kind of understand, if all of you could kind of help me understand why they might have changed their vertical targeting in 2023.

Emiel Haeghebaert: So I think one thing that's interesting here is, it seems like the targeting in the new phase of activity compared to the 2019 activity, it's a little bit more focused, as you alluded to, right. So the sector targeting is a little less broad. And I think we have to imagine, you know, there's humans behind this on the other end. We can think about the sort of the goals of the sponsors behind these groups, right, and how those evolve over time. So when we look at 2019 activity and 2023 activity, perhaps a little bit more focused now. And maybe that's because the sponsors behind these groups have objectives that are more narrow and more focused in nature. So we see that reflected in the activity conducted by the actual operators behind the keyboard.

Sherrod DeGrippo: Okay. So I see, too, this is also known as APT33, Elfin, and Refined Kitten. So, Lauren, one of the things that people often ask about is what is the deal with the kittens? So do you want to add anything about why kitten, specifically kitten is the primary animal for Iran?

Lauren Podber: Yeah. So I think kitten is a CrowdStrike designation. I assume there's like a Persian cat reference somewhere, but I'm not totally sure. But, like, the question with the names I think makes a lot of sense. Like, Microsoft's Sandstorm designations we have are kind of very particular to our visibility, where the Mystic analysts put those analytic parameters so that we can kind of track it in a rigorous way. But definitely overlaps with Refined Kitten, as you mentioned, on the CrowdStrike side.

Sherrod DeGrippo: And did any of you choose Peach for the Sandstorm modifier? Do you guys get to pick names?

Simeon Kakpovi: We do. I think I would be the one to blame for that.

Sherrod DeGrippo: You picked Peach? No, I -- well, I'm from Georgia. So my life is, you know, very peach heavy living in Atlanta. So you got to pick Peach. You know everyone wants to know about the threat actor names. It's like a huge thing. Do you get to just pick anything you want? What's the deal?

Simeon Kakpovi: Yeah. More or less I think you get to pick, you know, whatever sings to your heart. And different, you know, team leads have different methods of choosing the groups that correspond to what they think the threat actor should be called. You know, sometimes they want to, perhaps embarrass the threat actor. Or, you know, they have a specific pattern. I'm more of a wildcard in that sense and that I just pick whatever comes to the heart at that very moment. But one thing that we do have on the Iranian side, it's kind of like an ice cream type theme to all the different threat actors.

Sherrod DeGrippo: Oh. Okay.

Simeon Kakpovi: So we have Peach Sandstorm. We have Mint Sandstorm, which is formerly Phosphorus. We have Mango Sandstorm, which is Muddy Water previously. We have Pumpkin Sandstorm, which we used to call DEV-0146. What are some -- I must be forgetting somebody.

Sherrod DeGrippo: Pumpkin Sandstorm, great for the fall.

Simeon Kakpovi: Great for the fall. So it's right about that time now.

Sherrod DeGrippo: But Sandstorm is always Iran focused, correct? That's kind of the convention.

Simeon Kakpovi: Yep. That's correct. So whenever you see Sandstorm, that's usually one of the groups attributed to Iran.

Sherrod DeGrippo: Okay. So I want to talk a little bit about the actor infrastructure and things like that. So password spray attacks, give me a kind of a walkthrough of what this actor, when a password spray attack is leveraged by this threat actor, what does that kind of look like?

Emiel Haeghebaert: Password spray stats are quite interesting. It's a sort of very loud way for the threat actor to try to gain access to organizations. So they will typically take a list of email addresses they know belong to an organization and try one or a few very common passwords against it. And so anyone who has password 123 as their password will likely be compromised in an attack like this. So they can do this across thousands of organizations, tens of thousands of emails in a relatively short amount of time and then just kind of run with what works. So it's a very sort of non, like indiscriminate, very loud way to try to gain access to organizations and then move along from there.

Sherrod DeGrippo: And so do you feel like that's a primary security vector for this particular actor? If your organization wants to be able to secure against them, what kinds of things should an organization do for password spray attack in general but, specifically, I guess this actor too?

Emiel Haeghebaert: I think one of the most important things for this year is having some more sophisticated passwords, right, having long, complex passwords and two-factor. Sort of the default cyber hygiene recommendations here would apply.

Sherrod DeGrippo: Okay. And so I guess my question is, when it comes to something like brute force versus a password spray attack, what is the kind of differences between those two things?

Simeon Kakpovi: Yeah. That's a good question. With a brute force attack, from the victim perspective, you're seeing a lot of traffic coming your way from maybe either one IP or, you know, a set of IPs that look familiar. But you're going to see a flurry of activity all at once. With a password spray where the attacker is using one password against a lot of organization, you might just see just a handful of attempts against your organization. So, from your perspective, it's not a big deal. You know, we saw five attempts. But, you know, from Microsoft perspective, we'll receive thousands of organization that the actors trying to access. We see that there's a bigger trend there that the actor is using that we might want to combat.

Sherrod DeGrippo: So the next thing I want to know about is volume. So usually when we think about APT versus crimeware, which we will definitely talk about crimeware because I can't stop, as you all know, there's a volume difference, right? Like, we see crimeware just no fear, right? They just go loud and hard and fast and, like, just do not care. So can we talk a little bit about in this particular Peach Sandstorm campaign that we're talking about, what are we seeing in terms of volumes there?

Emiel Haeghebaert: I think the volume question here is really interesting because you would be able to draw parallels to, okay, they're very loud. They're going against, you know, hundreds of organizations. So maybe this looks a little bit more crimy, but I think it goes back to what we were talking about earlier where it is really just indiscriminate but within the bounds of certain sectors, right. The password sprays might affect hundreds of organizations in Europe and North America and some of the Middle East, but it's still within that defense, industrial base, government, sometimes education sectors where those targets that, you know, something stuck, it will have stuck in an organization that ends up being interesting to them. So they're not really going after organizations and sectors that aren't of value to their sponsor.

Sherrod DeGrippo: Okay. Great. Does anybody else want to comment on the volume side of things? It sounds like there's some interesting stuff there.

Simeon Kakpovi: Yeah. So, I mean, they're password spraying a huge number of organizations. And then, once they get lucky, they will typically focus on just a handful. And what we see is that some of the organizations that they focus on and they have post compromised activity on are some of the same organizations that they were interested in four years ago, right? So it's not like they were randomly interested in this organization. It's they were so interested in that organization that that decided to come back four years later and still be interested in that very same organization. And I think to Emiel's point, it points to the idea that, you know, they had some type of very specific defined tasking, and they're trying to meet those objectives that were given to them versus, you know, in crimeware, you might see, you know, if it doesn't hit, you know, move on to the next one, right? You only -- you don't have that much patience for each target. In this case, if they don't succeed today, they will come back tomorrow and the day after that and the day after that and the day after that.

Sherrod DeGrippo: I think it's a really good point to mention the patience, right, because we usually think of the P in APT as being persistent. But, in order to be persistent, you have to have a lot of patience too. And it sounds like, since this group has been active since I think you said 2018, it's -- I mean, that's five years at this point that it's been on the radar. So they are patient if not persistent, as well. So let me ask you about this, too. In the blog, there's this mention of targeting pharmaceutical companies potentially to obtain information that would allow the country to get means to domestically produce medicine like pharmaceuticals that it can't easily import. And that's more of that kind of geopolitical side of the attribution of, you know, the end goals, right. So we don't always know exactly what that is, but we can speculate a little bit based on other things we know. So can we kind of talk a little bit about how that works? I don't know if you're all experts on the sanctions aspect of it, but I do know that pharmaceuticals are sanctioned in terms of import limits into Iran. So is there anything that we can say about how this particular threat actor or Iran's cyberespionage programs overall might be furthering kind of getting around some of those sanctions goals?

Emiel Haeghebaert: I think this is a really interesting aspect to the targeting and tying into the geopolitics and the domestic situation, right. I think the first sort of public reporting coming out of different vendors saying Iranian groups are targeting pharmaceuticals and medical companies or researchers was around the COVID-19 pandemic. I think it's reflecting the fact that, despite medical supplies typically not being explicitly banned from export into Iran, a lot of the sanctions that are affecting the country sort of just make companies weary to do any kind of business with Iran. So that also will apply, then, to medical supplies that aren't technically banned. And, of course, we're just kind of speculating. We can't actually talk to the folks behind this and ask them why, what the real reason is. But I think it's safe to assume that that plays a part, right. They have a lot of issues getting medical supplies around cancer treatments. The COVID-19 pandemic hit the country very hard. So we can sort of speculate, hypothesize that they're trying to offset the challenges they're facing in that area by collecting that information that then pharmaceutical companies in the country could sort of help overcome those difficulties and get those medicines produced to help the local population.

Sherrod DeGrippo: Emiel, you said something really interesting that I'd like to ask each of you. But, Emiel, I'll start with since you brought it up. Let's say you could get Peach Sandstorm in a room. Let's say you could get those guys in a room. What would you ask them? You get one question. And they have to answer you honestly.

Emiel Haeghebaert: I would ask them what happened during the COVID-19 pandemic for them, why they took a break, what they were up to all that time because they came back with a few more sophisticated techniques and tools that I'm sure we'll talk about later in the episode. So I wonder, you know, were they busy upskilling while everyone was working from home, or what was -- what was going on there would be my question.

Sherrod DeGrippo: Okay. Cool. I like that. Simeon what would you ask them? They're in a room with you? So let's say you have security too. You have physical security.

Simeon Kakpovi: Yeah. I mean, I think I would ask more or less the same questions that Emiel was asking is, you know, where did they go for training? Because they came back doing some things that we normally would not expect, so much so that we were wondering if that was actually them or if it were some other Russian actor. And I'd also be curious, like, what did they try that failed? I think, at the end of the day, right, APTs are humans just like us. So you have to imagine that they tried something and they failed. And they sought help, and they figured out how to improve their processes to get better. So I'd be curious to hear, like, from their perspective, you know, how they went about improving from times of old.

Sherrod DeGrippo: Okay. So far we've got what your -- where you've been; what have you been doing. Okay. Lauren, how about you?

Lauren Podber: So they're more practical than I am. I think I'd want to know maybe what scares them or how they think about deterrence. So when we're talking about sanctions without sort of having that policy lever of cutting them off from the international financial community or cutting off access to critical supplies like medical or even just having, as Emiel mentioned, the sort of secondary companies not wanting to do business with them. Like what would prompt them to reconsider pursuing a target in an organization? Like, are there elements where like, they would say the calculus would change for them, and they'd say, you know what? I don't actually think it's worth taking a risk being identified. So sort of what the scope of, like, deterrence, like, what, what and how could other organizations kind of think about making it less attractive for them or raising the costs for them if they were going to carry out some kind of activity.

Sherrod DeGrippo: I love that. I think between the three of you, you've got where have you been, what have you been doing, and how can we stop you all covered as questions. For me, I would love to get them in the room and probably try to understand the financials of their actual pay from Iran. Like, okay. You're in IRGC. Are you making enough money to support your family? Is it really worth it? And quite honestly, like, do you have a price? Like, could you be double agent paid off to get out of this? I feel like, because I am kind of a crimeware person, I'm always looking for the money and how much money would it take to get you guys to quit? So let's talk a little bit about Iran's place in sort of that big four world. I'm always interested in kind of the stack rank of who's killing it and who's kind of needs to catch up. So from that global perspective, where do we see Iran in terms of cybercapabilities? How do they compare against their counterparts in some of those other APT countries?

Simeon Kakpovi: Yeah. I mean, I think it depends what you mean by compare, right? It depends on the metrics that you want to use. Sometimes people use how many zero days are dropping as a metric for success. Sometimes people use how shiny malware is that's your metric for success. If you use those metrics, then Iran isn't top of the chart. We're not really seeing too many zero days being used by those actors. And their malware isn't always as shiny as the other ones. But we can say that they do achieve success, right, by using open source tools; by using vulnerabilities already disclosed by others; by being very, very good at social engineering across the board, I think they still achieve success. They're meeting objectives that are being handed down to them. And, to a certain extent, we're seeing a shift more recently in that they're not unsophisticated, right. We're seeing them -- we published a blog on Mint Sandstorm more recently where we're seeing that actor, in particular, exploiting one-day vulnerability really quickly. So it's not taking them a whole week, a whole month to exploit one-day vulnerability. As soon as someone's talked about it, they're right on top of that. We're seeing Peach Sandstorm now leveraging cloud techniques that we've previously only seen NOBELIUM or other more capable cybercrime actors using. I think there's a shift in Iran being more technical as of late, and we might continue to see more of that. But, as a whole, they've been fairly effective by using other means until now.

Sherrod DeGrippo: I'll just add, too, for those who don't have all of the names of every actor memorized the way that I do, and I'm definitely not checking the freely available Microsoft threat actor key that you can get in both JSON and XML format, NOBELIUM is also known as Midnight Blizzard at Microsoft, Russian originated threat APT29, Cozy Bear. And Mint Sandstorm is typically referred to as Phosphorus in the olden days before naming convention switched over. I'm going to try to get better at my naming convention brain key. But there's four columns in this spreadsheet, and we track hundreds and hundreds of actors. So they all have at least four names. So Emiel, Lauren, in terms of Iran, what kind of sets it apart from the other big capable actors that have those big programs like Russia, China, North Korea? Where does Iran lie? If you get all of them in a room, how are they different?

Emiel Haeghebaert: That's a really challenging question. I think some of it goes back to what Simeon was describing in terms of, you know, by conventional terms, if you want to use the word sophistication, they might be a little bit lower on the ladder. But they are surprisingly creative in and persistent in how they approach things. So you kind of have to respect them for that. And, at the same time, I think they are not as scared of getting caught, so they're a little bit bolder in some of what they do. If you just think about some of the recent incidents where they've done a lot of hack-and-leak operations, they compromised dating websites in Israel and then dumped the data somewhere. Or they, you know, wipe government servers in Albania. Those are the types of things that are extremely brazen for something that's not during wartime the way we see the Russia Ukraine conflict playing out in the cyber world. So I think they're sort of status as the pariah perhaps in the international system, very isolated, they have less to lose. So sometimes when they think there's a play to be made there, they may be less scared to actually go ahead and go through with it. And I think that might set them apart a little bit from some of the other actors that we track in different regions, maybe with the exception, perhaps, of North Korea who's in a similar situation, right.

Sherrod DeGrippo: Lauren, is there anything you want to mention about Iran being kind of set apart from some of those other countries that we see on the radar?

Lauren Podber: Sure. Yeah. I think just kind of to go back Simeon and Emiel both mentioned this but, like, just things being simple, not having to be sophisticated to be effective. I think we've really seen a lot of the Iranian groups use things like a password spray attack, or like some of these one-day vulnerabilities and be able to achieve really sophisticated outcomes with just sort of tradecraft that you can see in a lot of places. So I don't know if the quality is creative or effective, but I think it's really impressive to see them use sort of some of these standard capabilities to achieve their objectives.

Sherrod DeGrippo: And I guess from the perspective of somebody who's not super deep in APT, it sounds like there's this -- when it comes to persistence, there really is this, I have to do this. Like, I have to get that target. That is really where I'm focused whereas I think in crimeware a lot of times the obvious objective is I just need this amount of money, and it doesn't really matter where that money comes from. It doesn't really matter who the victim or target is, as long as the bank account is increased by this amount of money tomorrow. It sounds like with a lot of the APT actors that we see, the focus really is much more on that one singular prized thing, at that one singular target. So that's something interesting that I never really thought about before.

Simeon Kakpovi: Yeah. I like the way you put that. You know, you can hack all the organizations in the world, but it doesn't matter if you don't get that one organization that really matters to you and whoever tasked you. So organizations will spend a lot of time and a lot of effort just focusing on, like, one particular one. And, you know, sometimes we'll see them going after the same organizations. Really, in this case, we'll see them going after the same organizations for years at a time. And it's like, well, why are you doing that? Why did they matter to you so much, whereas a crimeware actor would have given up after about five minutes. But I think from a defensive perspective, if you were the defender, right, it makes it a different risk calculus, right, because you have to -- if you're being targeted by a particular organization and, you know, you're receiving notifications from Microsoft about XYZ APT's targeting you, you have to make sure that you're up on your -- you're doing your research about that particular group, right, because they may come after you again and again and again. And being aware of, you know, what they're doing and what their tradecraft is, will -- that help you better defend yourself in the long run.

Sherrod DeGrippo: Yeah. I think that's really important is that, when you're a defender and you're thinking about what's coming at you, you have to really understand the organization that you work at. Being in security operations -- which I've never done. I've only worked at security vendors and the government. So I've never really been at a typical organization trying to secure it. So when you're in those roles, you have to think about what does this organization do? What is my business? What kind of data do I have? How much money do we have? Who has access to it? And you really have to understand the world that you operate in because, ultimately, it sounds like, especially with APT actors, they're going to understand your world just as well as you do, potentially, maybe better. So I want to talk just quickly about the TTPs for this particular peace and swarm attack. So we talked about it being password spray. Can we kind of walk through what happens when they are successful in doing that password spray attack, getting a successful login. They've authenticated. They're in. Do we know what they typically do once they've successfully authenticated with one of these password spray attacks.

Emiel Haeghebaert: So whenever they succeeded guessing the correct password via the password spray, we'll usually see the actor is using a dedicated IP to log into the victim tenant, right? So they'll, you know, drop their core node and they'll say, okay. Well, it's go time. We're going to straight from whatever actor infrastructure is, log in and start trying to establish a more permanent foothold, right. So they don't want to be in for the short-term. They want to be in for the long run and continue to collect information about that organization, probably establish a few footholds that, you know, if the victim tries to kick them out, they can come back and use -- we've seen them use a series of really a diverse set of mechanisms for persistence, one of them being Azure Arc. Azure Arc is a tool that allows you to remotely -- to connect a box that is not on your network, right, from an on-prem device into your own cloud tenant, right. So the actor establishes a cloud tenant and then says, Hey. That box right there on the victim network is actually one of mine. Let me enroll that into my cloud network, which is a very sneaky way of using a legitimate tool to control a device that belongs to the victim. We see them using a series of tunneling tools, custom tunneling tools, as well as open source tool to tunnel through compromised cloud environments to the actor and the actual actor infrastructure. So, from the victim perspective, it doesn't look like you're speaking to actor infrastructure. It just looks like you're communicating with some random cloud IP somewhere, which is a lot harder to find than, you know, looking directly for suspicious activity coming from the actor. Simeon hit the nail on the head here with, like, the interesting techniques they're using, Azure Arc, pulling tools off of GitHub. And I just feel like this reinforces the point we made earlier where you don't need to be the best malware developer or find vulnerabilities in all kinds of products everywhere, right? They're pulling tools that already exist off of GitHub. They're using legitimate administrator tools in very creative ways, right. With the Azure Arc activity, when we first saw that, we hit up our Russia colleagues because we thought it was a Russian factor. We didn't think that an Iranian threat actor would try to pull that off. So they are being extremely resourceful in making up for perhaps some of the weaknesses in their teams and capabilities that they don't have. They're very resourceful in making up for those in the ways that we've described in the blog.

Sherrod DeGrippo: Yeah. I think that's really cool to mention, right? Like, a password spray is a great example of that, right? You only need to hit it once. Like, you only need to have one green light. You only need to have one jackpot. And it doesn't really matter that much how you get it, right. Like, if you can get it for low cost, which is using GitHub, Living Off the Land, if you can do it with off-the-shelf tools, well, you're operating at a cheap and efficient manner. You're keeping your budgets low, and you're getting your same objective for lower cost. But if you want to get, you know, big time O-day and create your own exploits and things like that, then it's a little bit more expensive. And you might not be as successful. So I think that Iran -- and you can all correct me if I'm wrong because you're subject matter experts in Iran. But even over the past several years when I've been looking at Iran to some degree, they're a little scrappy. They're a little bit behind the curve sometimes, but they just keep going. They keep coming back and back and back. And I know one of the things that there was the drone strike of Soleimani a couple of years ago. I believe that was in January 2020. I think it was New Year's Eve. And the question kept coming back, you know, when is the cyberattack retaliation coming? And it didn't really happen I think in the way that people expected because Iran from a cyber perspective doesn't really seem to turn on a dime. They seem to get their operations and follow them through. Does that seem true from your perspective, too?

Simeon Kakpovi: Yeah. I remember that time, you know, I was working from -- as a defender, and everyone in the industry was spun up trying to figure out what would happen. And looking back at that time, there are actually quite a few different APT -- Iranian APT actors that were operating in that span of time that everyone was trying to find them, right. No one actually found them at the time, but there were quite a few that were active and that were successful. But they weren't necessarily looking to make anything flashy happen, right? There were operatives that were doing things for -- for years prior, and they weren't necessarily willing to give up, right, their hard work operations just to make a point at that particular time, which I think was interesting, right, given that sometimes Iran is looking to -- to make a point, right. And sometimes they do use IO hack-and-leak operations. They do use ransomware to make a point. So that one is -- it's a bit of a strange time for me.

Sherrod DeGrippo: It's a bit mysterious. Yeah. Everyone was sort of waiting for that other shoe to drop, and I don't know that it really did in the way that people thought it might. And, to me, that's a good -- that's sort of an iconic Iran representation, right. It's like you don't really know what they're going to do. And the operations that had been started prior to that drone strike just continued on in the same way. And there wasn't any pivoting off or, like, a major, major, major pull them off, make a different thing. You know, it just kept going. And specifically Silent Librarian, which is what I was looking at, at the time, they just kept up. I mean, they just came in. They did their to do list, and they went home at night. So okay. So what we'll kind of shift into now, I want to talk to each of you a little bit about sort of your backgrounds and what you enjoy doing. Lauren, let's start with you. I know that you studied Iran in college. Can you kind of tell us a little bit about that, and why Iran?

Lauren Podber: Sure. Yeah. So major I picked was Middle Eastern Studies. This was sort of very poorly scoped. And so you had to take a language. Arabic was all filled up. That sounded really hard. So I started taking Persian, which I'm now terrible at, but I was really interested in the language. And so, as I kind of stayed the course there in school, I decided it would be really interesting to learn sort of more about, like, the political history and the culture to the extent that you can. So I spent almost six years studying it. And that's been really fun here at Microsoft to kind of be able to apply some of the theoretical stuff for the first time or to see sort of what you just touched on, Sherrod, like that relationship between real-world events and what we actually see in our data. And so being able to see, like, here is -- here are the types of places that are affected, here's when it happens, and getting to sort of see when things do and don't correlate.

Sherrod DeGrippo: Okay. So you have to make a choice. You can't do Iran. You're being put on another country or crimeware. What do you choose? What -- you can choose any other country, or you can come into the crimeware side.

Lauren Podber: So that's a tough question. I might come to the crimeware side. I think it depends on the role and the organization and the dataset, right. But if I'm going for -- here at Microsoft, on the Iran team, I think we're really lucky to get to work to so many customers -- or not so many, but there are customers where the Iranian actors are part of their threat model. I think maybe in a different role or on a different team, a lot of the crimeware, particularly some of the opportunistic or really high volume stuff, I think there'd be an opportunity to make a really big impact learning there for a number of other customers.

Sherrod DeGrippo: Okay, cool. Good choice. Simeon. How did you fall into Iran? Because, when I first met you, you were doing Iran. And that's all I really know is that you've been on Iran for a long time.

Simeon Kakpovi: Yeah. Just a pure accident. You know, I was working as a defender. And, you know, one of my mentors, Eric Hutchins, Kill Chain guy, asked me to look over something that was Iran related. So I just kept going because nobody told me no. And, eventually, I started working with other Iranian groups. And a couple years later, here I am.

Sherrod DeGrippo: And how long have you been looking at Iran now?

Simeon Kakpovi: Since 2018. So for my values, I've been looking at Iranian threat actor groups. I started with Mint Sandstorm, which is Phosphorus a long time ago. And then started working CURIUM, which is now Crimson and Cuboid Sandstorm. And then it's just started adding on from that. So it's been a weird journey going from just looking at one group to looking at dozens of groups and, like, having to understand how the entire ecosystem works and, you know, knowing how the groups interact with each other. So it's been -- it's been a blast.

Sherrod DeGrippo: Okay. What's your choice?

Simeon Kakpovi: You know, crimeware is a different kind of fun.

Sherrod DeGrippo: I'm going to get you all on crimeware.

Simeon Kakpovi: What? I think it's a lot more fast-paced than what we see. It's a different kind of fun. I enjoy the Iran work because you get to methodically answer all your questions. You get to -- you know, it's like a slow burn, right? You get to answer all the questions, figuring out what's happening. All the arcs come to a full stop. But being able to stop ransomware is also sounds pretty exciting. It's like a movie.

Sherrod DeGrippo: Yes. It is absolutely like a movie because it is that absurd. Well, I know, we've got some Lebanon actors that we track and the private sector offensive actors. Those are pretty interesting, too, because they're, you know, mercenaries for hire, basically. So I'm sure that they have some overlap. But I'm going to go ahead and say that I'm recruiting both of you into crimeware. Emiel, how did you end up in Iran? And by in Iran, I mean in the data coming from Iran threat actors.

Emiel Haeghebaert: I would love to visit Iran maybe when the domestic situation is a little different. So, for me, it was similar in the sense that -- similar to Simeon in the sense that it would -- kind of just happened. In grad school, I had to choose an area of focus, and they also went with Iran. Took a national security class there so learned all the ins and outs of how their national security apparatus works. In my first job in this industry, I started working on Middle Eastern threats. And then one of the analysts that are sort of leading the Iran effort sort of having less time for that and eventually left the company. So it kind of slowly grew into the main Iran analyst for the -- for the role I had there. I have since also started taking Farsi and sort of an interest in the domestic culture and politics, trying Iran food and have some Iranian American friends and sort of have a personal interest in how the country runs and what's going on there, both at the political but also just, you know, people's lives. And I think that kind of keeps me motivated a lot to, you know, keep working on Iran at work, as well, because it's -- it feels like I learn a little bit more about the country every time I'm working the data too.

Sherrod DeGrippo: Absolutely. That's awesome. And speaking of food, we have the best Persian restaurant in Atlanta. So, if you are ever in Atlanta, I will take you. It's in midtown. It's not far from my house. It's blow your mind, it's so good. Emiel, what if you had to choose another country? You can choose any other country, or you can choose crimeware.

Emiel Haeghebaert: I'm sad to disappoint you. You're not going to go three for three. I already work crimeware half of my day job in my current role. I split between Iran and crimeware for the most part. I would have to go with North Korea, I think they are sort of similarly underappreciated and underestimated. They're in a similar sort of, you know, pariah status internationally. They're dealing with a lot of things that they're trying to offset the challenges they're facing, and they're doing so very creatively. So I think that would be a really fun actor set to work.

Sherrod DeGrippo: I'm going to consider that half of a victory because you're already doing some crimeware now so.

Emiel Haeghebaert: That's fair.

Sherrod DeGrippo: Well, before we sign off, anything any of you would like to leave the audience with? Any final thoughts that you'd like to share? Lauren will go. What have you got?

Lauren Podber: Okay. I'll go. With a lot of the Iranian actors, something I always want to highlight and I think we as a group always want to highlight is that the same things that organizations can do to harden their attack surfaces against the tradecraft we see in some of these really interesting and targeted campaigns are also going to be really effective for a number of other actors. They're going to be effective for some of the crimeware campaigns. They're going to be effective against tradecraft from other groups. So whether or not, you know, Peach Sandstorm is in a given organization's threat model, a lot of the recommendations that we provide in the blog are going to be broadly effective.

Sherrod DeGrippo: Awesome. I love that. I think that's a really important thing for defenders to think about is that it's not necessarily about defending against a single actor. It's defending against an ecosystem, right? It's a threat landscape as a whole. So, you know, you can have some nice stories, I think, built around actor-centric defense. But, ultimately, you have to defend against them all. So put in as much as you can. Whenever I see the teams come together like this with these multiple subject matter experts to put out these fantastic Microsoft Threat Intelligence Blogs, it's really amazing to me. I can't believe the skill and scope level that everyone works at to get all these blogs written, which hopefully soon on another episode we'll talk about the behind the scenes of making a blog post at Microsoft Threat Intelligence Blog because, wow. It's a lot. Simeon, any final thoughts you'd like to share?

Simeon Kakpovi: I'll concur that it's been a lot of fun trying to figure out what it is that Peach Sandstorm was doing. I think the reaction that I had at every step of the way was, is this Peach Sandstorm? There's no way it could be. And then every single time it's Peach Sandstorm yet again. So that was always a wild ride to see. The other thing I want to leave with is that I think Peach Sandstorm and their use of interesting cloud techniques and the use of all these fancy tunnels really signals that APT actors are able to grow and evolve over time, which may mean in the future, right, at least in Iran, that we may have -- and it's already a trend that we spoke about with Mint Sandstorm is that we're seeing all these different groups that are learning and growing, collaborating, trying to figure stuff out. So, in the future, we may have random groups operating more like Chinese groups, right? Maybe more mature, sophisticated, right, using one-day vulnerability a little bit quicker or maybe even in the future using zero days. I can't predict the future, so we'll just have to wait and see. But it's definitely possible that we're starting to see a change in the overall Iranian cyber ecosystem.

Sherrod DeGrippo: Awesome. Thanks for sharing that. I think that evolution point is really important. And it's universal. It's across the threat landscape. Threat actors grow and change just like all of us in our personal lives and become better and better at what they do. Or, as we see in the crimeware side of the house, a lot of times they quit their group, they break up the band, and they start another side project. So I'm sure that there's some APT overlap there as well. Thank you all so much for joining. I cannot wait to hear more about the Iranian landscape. So we'll have to have you all back again. Simeon, Lauren, Emiel, I really appreciate it. Thank you for teaching us so much about Peach Sandstorm and the Sandstorm ecosystem overall. Thank you.

Simeon Kakpovi: Thank you so much. It was a pleasure.

Lauren Podber: Yeah. Thank you, Sherrod, so much for hosting us and to Simeon and Emiel who did the amazing research over several months and several intrusions that they really brought together.

Sherrod DeGrippo: Thanks for listening to The Microsoft Threat Intelligence podcast. We'd love to hear from you. Email us with your ideas at Every episode, we'll decode the threat landscape and arm you with the intelligence you need to take on threat actors. Check us out, for more. And subscribe on your favorite podcast app.