Sponsored By

Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa.

Microsoft: Iran's Mint Sandstorm APT Blasts Educators, Researchers

The Charming Kitten-related cyber-espionage group is posing as legitimate journalists and researchers to get intel on the Israel-Hamas war.

4 Min Read
Desert sandstorm
Source: Zoonar GmbH via Alamy Stock Photo

The Iran-linked Mint Sandstorm group is targeting Middle Eastern affairs specialists at universities and research organizations with convincing social engineering efforts, which conclude by delivering malware and compromising victims' systems.

The latest espionage campaign by the Mint Sandstorm group, which has ties to the Iranian military, aims to steal information from journalists, researchers, professors, and other professionals who cover security and policy topics of interest to the Iranian government.

According to a Microsoft advisory out this week, the cyber-espionage group uses lures related to the Israel-Hamas war, leading Microsoft to conclude that the group likely intends to gather intelligence on and perspectives about that conflict from policy experts. 

The group is well known for its persistent and sustained efforts, the analysis stated.

"Patient & Highly Skilled Social Engineers"

Mint Sandstorm is Microsoft's name for a collection of cyber-operations teams linked to the Islamic Revolutionary Guard Corps (IRGC), an intelligence arm of Iran's military.

The group overlaps with threat actors known as APT35 by Google's Mandiant and Charming Kitten by Crowdstrike; the latest espionage campaign is likely run by a "technically and operationally mature subgroup of Mint Sandstorm," the company said.

"Operators associated with this subgroup of Mint Sandstorm are patient and highly skilled social engineers whose tradecraft lacks many of the hallmarks that allow users to quickly identify phishing emails," Microsoft Threat Intelligence stated in the analysis. "In some instances of this campaign, this subgroup also used legitimate but compromised accounts to send phishing lures."

The group is well known for sophisticated social engineering campaigns, according to Secureworks, which considers Microsoft's Mint Sandstorm to most closely align with the group Secureworks' Counter Threat Unit (CTU) calls "Cobalt Illusion."

The group regularly conducts surveillance and espionage activities against those considered to be a threat to the Iranian government — for example, targeting researchers documenting the suppression of women and minority groups last year, says Rafe Pilling, director of threat research for the CTU.

"Any institutions or researchers that study topics of strategic or political interest to the government of Iran or their subordinate intelligence functions could be a target," he says. "We've seen journalists and academic researchers that cover Iranian and Middle Eastern political, policy and security issues being targeted as well as IGOs and NGOs that work within Iran or in areas of interest to Iran."

Impersonators Extraordinaire

The group frequently conducts resource-intensive social engineering campaigns against targeted groups or individuals, much like the Russian APT group ColdRiver, also the subject of threat intelligence analysis this week. Adopting the mien of journalists or known researchers is a typical tactic of Mint Sandstorm, and targeting educational institutions has also taken off.

Typically, Mint Sandstorm will engage with the targeted individual in the guise of requesting an interview or initiating a conversation about specific topics, eventually manipulating the email thread to the point that the individual can be convinced to click on a link, Secureworks' Pilling says.

If the group can steal credentials for an email account, it will often use that to better pose as a legitimate journalist or researcher, Pilling says.

"Actually compromising the email account of a journalist to then target other individuals is much less common but not unheard of," he says. "Some state-sponsored groups will compromise organizations that their targets work with to send phishing attacks that are more likely to be trusted by their real target."

Custom Backdoors for Cyber-Espionage

Once the attackers have gained rapport with their target, they send an email containing a link to a malicious domain, often leading to a RAR archive file that they claim contains a draft document for review. Through a series of steps, the attackers would eventually drop one of two custom backdoor programs: MediaPI, which poses as Windows Media Player, or MischiefTut, a tool written in PowerShell. 

"Mint Sandstorm continues to improve and modify the tooling used in targets' environments, activity that might help the group persist in a compromised environment and better evade detection," Microsoft stated.

Nation-state-backed groups and financially motivated cybercriminals often share techniques, so the use of custom backdoor is a notable, Callie Guenther, a senior manager for cyber-threat research at Critical Start, wrote in a statement.

"The spread of these tactics could signal an overall escalation in the cyber-threat landscape," she said. "What begins as a targeted, geopolitically motivated attack could evolve into a more widespread threat, affecting a larger number of organizations and individuals."

About the Author(s)

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights