Iran has been conducting cyberattacks on critical U.S. infrastructure, believed to be retaliation for similar attacks carried out on the Islamic Republic, researchers at Microsoft warned earlier this month. The tech giant’s Threat Intelligence team further reported that a subgroup known as “Mint Sandstorm” has switched from performing surveillance in 2022 to conducting direct attacks on U.S. interests, including infrastructure.

The intrusions are believed to be in response to attacks carried out on Iranian infrastructure that have been attributed to the United States and Israel. That included a June 2021 attack on the Middle Eastern nation’s railway system and another attack in October 2021 that caused an outage at gasoline stations across the nation.

Researchers from Microsoft’s Threat Intelligence team now believe that Tehran is allowing state-sponsored threat actors more freedom when conducting retaliatory attacks – which has led to an increase in the overall number of incursions in the United States.

“Over the past several months, Microsoft has observed a mature subgroup of Mint Sandstorm, an Iranian nation-state actor previously tracked as PHOSPHORUS, refining its tactics, techniques, and procedures (TTPs). Specifically, this subset has rapidly weaponized N-day vulnerabilities in common enterprise applications and conducted highly-targeted phishing campaigns to quickly and successfully access environments of interest,” Microsoft Threat Intelligence stated in an April 18 blog post.

What is Mint Sandstorm?

The Microsoft team further explained that Mint Sandstorm – a composite name used to describe several subgroups of activity with ties to the same organizational structure – is associated with the intelligence arm of the Islamic Revolutionary Guard Corps (IRGC). That assessment has been corroborated by multiple credible sources including Mandiant, Proofpoint, and SecureWorks.

In 2022, the United States Department of Treasury sanctioned elements of Mint Sandstorm for past cyberattacks citing sponsorship from the IRGC.

Microsoft’s effort to track the larger Mint Sandstorm group also overlaps with other hacking units reportedly tied to Tehran, including APT35, APT42, Charming Kitten, and TA453. Mint Sandstorm has been known to pursue targets in both the private and public sectors, including political dissidents, activist leaders, the Defense Industrial Base (DIB), journalists, and employees from multiple government agencies, including individuals protesting oppressive regimes in the Middle East, the tech firm also noted.

Don’t Let the Guard Down

The report from Microsoft also highlights why businesses and government entities need to remain ever-vigilant against cyberattacks from foreign state actors.

“Mint Sandstorm exhibits tell-tale marks of a more sophisticated adversary approach. Their attack process relies on timing since they are racing against patch timing for publicly disclosed new CVEs,” explained Matt Mullins, senior security researcher at Cybrary, via an email to ClearanceJobs.

“With this being said, there is an obvious effort to scour the internet for information on the latest PoCs, weaponizing them, and then swiftly launching campaigns to gain an initial foothold into networks,” Mullins warned.

“Threat actors are identifying and increasingly exploiting processes, or lack of processes, in vulnerability management,” added Zach Hanley, chief attack engineer at cybersecurity firm

“(Hackers) can invest in discovering 0-days, or they can abuse known, recent vulnerabilities that become public,” Hanley told ClearanceJobs in an email. “The continuous intelligence loop of identifying emerging threats and acting on the new risks before your adversary can will become a more critical investment that organizations will have to weigh in their overall security model. Gone are the days where an annual penetration test sufficed for reducing an organization’s risk.”

From Recon to Attack

Clearly, Mint Sandstorm has built on its cyber reconnaissance talents and now those skills to conduct cyberattacks. Outside of the initial access vector, the utilization of template injection in tandem with small batches of phishing emails leads to a cautious and furtive approach to initial access using traditional phishing methods.

“Once inside, they appear to execute more standard post-exploitation operational procedures: recon, credential theft, and lateral movement, then escalation leading to exfiltration,” said Mullins.

“None of this tradecraft is particularly advanced at this stage but a merely standard and sufficient operation to maneuver in an internal network,” he continued. “Custom malware is always a bit harder but as the toolkits are more publicly shared, ensuring that properly updated signatures will help a great deal with this aspect.”

Moreover, while initial payload detection is difficult at times, there are a number of ways to detect threat actors once they begin to execute the attack.

“There is no way to be 100% invisible,” said Mullins. “There are always tell-tale marks left and thus as defenders, we must use defense in depth and have well trained analysts and threat hunters who are capable to look closer at escalated tickets.”

Related News

Peter Suciu is a freelance writer who covers business technology and cyber security. He currently lives in Michigan and can be reached at You can follow him on Twitter: @PeterSuciu.