Sep 15, 2023 - Technology

Iranian hackers target satellite, defense firms, Microsoft says

Illustration of a flagpole with a flag shaped like a keyboard

Illustration: Sarah Grillo/Axios

Iranian hackers have hacked dozens of companies in the defense, satellite and pharmaceutical sectors this year using a fairly unsophisticated, blunt hacking technique, Microsoft warned in a new report.

Why it matters: Many of these companies are based in the U.S., and the breaches come amid heavy U.S. sanctions targeting Iranian oil and petrochemical sales.

Details: Microsoft said Thursday that Iranian hacking group Peach Sandstorm — which other firms also refer to as APT33, Elfin or Refined Kitten — has been breaking into these companies by trying to guess multiple user accounts' passwords.

  • The password-spraying campaign took place between February and July this year, Microsoft found.
  • In some cases, the hackers were able to exfiltrate data, and in others, they just lurked on the networks to see what intelligence they could gather.

Yes, but: The Iranian group targeted thousands of companies as part of this monthslong campaign — but was able to access only a small percentage of those organizations, Microsoft said.

The big picture: Peach Sandstorm's past campaigns are known to have targeted aviation, construction, defense, education, energy, financial services, health care, government, satellite and telecommunications companies.

What they're saying: "The capabilities observed in this campaign are concerning as Microsoft saw Peach Sandstorm use legitimate credentials (gleaned from password spray attacks) to authenticate to targets' systems, persist in targets' environments, and deploy a range of tools to carry out additional activity," Microsoft wrote in the report.

Threat level: Iran was likely using the attack for routine espionage, Microsoft said, rather than for a destructive cyberattack.

  • However, the U.S. intelligence community has warned that Iran is "more willing than before to target countries with stronger capabilities" as part of its state-backed cyber operations.

Sign up for Axios' cybersecurity newsletter Codebook here

Go deeper