Iranian Hacking Group Unleashes New Backdoor to Infiltrate Space Industry

APT 33 is a hacking group backed by the Iranian government, and Microsoft calls them “Peach Sandstorm.” This group has been a major player in international cyber espionage for over a decade. The group has been known to target a host of public and private organizations, including critical infrastructure, using both simple and sophisticated attack methods. Among their arsenal are strategic but straightforward tactics like “password spraying,” as well as the development of more complex malware intended for industrial disruption. Now, according to new research by Microsoft, Peach Sandstorm is expanding its cyber capabilities, now promoting a newly discovered multistage backdoor dubbed “Tickler.”

“Tickler” is a malware tool specifically engineered for the remote functioning of infected networks. The aforementioned backdoor is then utilized by Peach Sandstorm once the initial access was gained by means of password spraying or social engineering tactics. In recent months, this malware has been seen in an operation against targets across a number of sectors, including those operating in the satellite communications, oil and gas, as well as several government agencies within the United States and the United Arab Emirates. The development and deployment of Tickler represent a focused effort on the part of Peach Sandstorm toward the realization of very specific objectives on both the espionage and operational fronts.

In addition to using the Tickler malware, Peach Sandstorm has also been employing low-tech but high-yielding password-spray attacks. This technique involves trying common or leaked passwords across thousands of accounts in an effort to gain unauthorized access. This tool has been utilized by the group against over one thousand entities since February of 2023. For instance, Microsoft announced that it observed Peach Sandstorm targeting entities spanning from the U.S. to Australia from April to May of 2024, and focusing on a diverse set of companies in the space, defense, government, and education sectors. All these go on to show that there is a continued strategic interest in attacks against these industries that are critical to national security and technological progress.

Another dimension regarding the activities of Peach Sandstorm involves social engineering, and this is through LinkedIn. The group had started building fake profiles on LinkedIn since November 2021, where it impersonated students, software developers, and talent acquisition managers. The objective of these fake profiles was the gathering of information in an intelligence collection effort to be used in the future to target social engineering, possibly against higher education and satellite sectors. Microsoft has discovered and then taken down those fake accounts. But the fact that such methods persist gives further proof to the multifaceted approach of Peach Sandstorm on intelligence collection.

Microsoft has further taken a proactive approach in the detection and notification of the targeted customers of Peach Sandstorm being those of account password spraying attacks as well as those infected by the Tickler Malware. This says they are conversant and also flexible with the contemporary cloud-based systems since the Azure subscriptions had been tampered to run the victims cloud infrastructures. “While these might seem new targets for Peach Sandstorm, this cluster has had a sustained interest in satellite-related targets,” said Sherrod DeGrippo, threat intelligence director of Microsoft. “They’ve had previous operations that showed a strong focus on targets in the satellite, defense and pharmaceutical sectors across the globe.”