An Iranian cyberespionage campaign: "Peach Sandstorm."
By Tim Nodar, CyberWire senior staff writer
Sep 15, 2023

An Iranian espionage campaign targets the satellite, defense, and pharmaceutical sectors.

An Iranian cyberespionage campaign: "Peach Sandstorm."

Microsoft warns that the Iranian state-sponsored actor Peach Sandstorm (which Microsoft formerly tracked as “HOLMIUM”) has been launching password-spraying campaigns against thousands of organizations since February 2023, with a particular focus on the satellite, defense, and pharmaceutical sectors. The goal of the campaign appears to be espionage.

Legitimate credentials obtained by password spraying.

In a small number of cases, the threat actor succeeded in breaching organizations and exfiltrating data. Microsoft says, “The capabilities observed in this campaign are concerning as Microsoft saw Peach Sandstorm use legitimate credentials (gleaned from password spray attacks) to authenticate to targets’ systems, persist in targets’ environments, and deploy a range of tools to carry out additional activity. Peach Sandstorm also created new Azure subscriptions and leveraged the access these subscriptions provided to conduct additional attacks in other organizations’ environments.”

Password-spraying attacks are not difficult to prevent.

Use unique, strong passwords. That’s the advice from Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, who wrote, “Password spray attacks don't work when users use unique, strong, passwords for every site and service (or multifactor authentication). Most sites and services don't accept MFA, at least not yet. That's why every user should use a good password manager. A password manager allows users to have unique, very strong passwords on every site and service without having to remember what those passwords are.”