Iranian Government-Linked Hacking Group Mint Sandstorm
Iranian Government-Linked Hacking Group Mint Sandstorm Attacks US Critical Infrastructure

A new report from Microsoft’s Threat Intelligence team highlights that the Iranian hacking group, Mint Sandstorm, is conducting cyberattacks on US critical infrastructure as retaliation against recent attacks on Iran’s infrastructure. This infrastructure is attributed to the US and Israel. The group, linked to the Islamic Revolutionary Guard Corps (IRGC), previously known as Phosphorus, is believed to work for the Iranian government.

US Infrastructure Under Attack

The Iranian hacking group, Mint Sandstorm, has switched from surveillance to direct attacks on US critical infrastructure, as per a new report by Microsoft’s Threat Intelligence team. The intrusions by the Iranian hacking group targeting US infrastructure are believed to be retaliatory attacks against the US and Israel, who were allegedly responsible for attacks on Iran’s infrastructure. These attacks include the cyberattack causing an outage at Iranian gas stations in October 2021 and disastrous attacks on Iran’s railway system in June last to last year.

The Microsoft report also highlights that the Iranian government is empowering state-sponsored threat actors. This gave them more freedom when conducting attacks. It led to an overall increase in cyberattacks. The increased aggression and frequency of cyberattacks by the Iranian threat actors seemed to correlate with moves by the Iranian regime under a new national security apparatus. It suggests that the group is operating with less constraint.

In 2021, the OFAC of the Treasury Department sanctioned ten individuals and two entities affiliated with Iran’s IRGC. These activities overlap with those attributed to Phosphorus, the previous name of the Iranian hacking group.

Mint Sandstorm’s Strategies

Microsoft reported that a subgroup of Mint Sandstorm commonly utilized proof-of-concept exploits as they became publicly available. The attackers also employed old vulnerabilities, such as Log4Shell, to breach unpatched devices along with N-day exploits, which leverage known vulnerabilities.

After gaining access to a network, the threat actors at Mint Sandstorm use the Impacket framework. It is to spread laterally on the network while performing one of two attack chains.

First Attack Chain by Mint Sandstorm

The first attack chain is to steal the target’s Windows Active Directory database, which can furnish the hackers with users’ credentials to help them further intrusion or evade detection on the network.

Second Attack Chain by Mint Sandstorm

The second attack chain is to deploy custom backdoor malware. This malware is called Drokbk and Soldier. Both are used to maintain persistence on compromised networks. It is also helpful to deploy additional payloads. Drokbk is a .NET application that serves as an installer and a backdoor payload. It retrieves a list of command and control (C2) server addresses from a README file on an attacker-controlled GitHub repository. On the other hand, Soldier malware is a .NET backdoor that can download and executes additional payloads and can uninstall itself. The second malware similarly retrieves a list of C2 servers from a GitHub repository.

Apart from using exploits to breach networks, Microsoft reported that these attackers conducted low-volume phishing attacks on a small number of targeted victims. These phishing attacks included links to OneDrive accounts hosting PDFs that were spoofed to contain information. This information was about the security or policy in the Middle East. The PDFs also included links for a malicious Word template that used template injection to execute a payload on the device. These phishing attacks were deployed to establish the CharmPower PowerShell post-exploitation framework. It is for persistence and executing further commands.

Microsoft Recommendations

To stay safe from these threats, Microsoft recommends using attack surface reduction rules. It is to block executables that do not meet specific criteria. These include blocking executable files. It should from running unless they meet a prevalence, age, or trusted list criterion, blocking Office applications from creating executable content and blocking process creations originating from PSExec and WMI commands.

The threat actors heavily rely on vulnerabilities. It is for initial access to corporate networks.

Microsoft highly recommends that organizations apply security updates as soon as possible, with particular attention paid to patching IBM Aspera Faspex, Zoho ManageEngine, and Apache Log4j2.


Iranian hacking group, Mint Sandstorm, linked to the Iranian government. It is through the Islamic Revolutionary Guard Corps (IRGC). The group is conducting cyberattacks on US critical infrastructure, switching from performing surveillance to direct attacks. The attacks are believed to be retaliatory moves against the US and Israel. This is for their alleged role in attacks on Iran’s infrastructure. The Iranian regime’s new national security apparatus seems to be giving state-sponsored threat actors more freedom to conduct attacks. Microsoft’s report reveals the alarming techniques used by hackers and their capabilities for post-intrusion activities. Therefore, Microsoft recommends security updates and the execution of attack surface reduction rules to stay safe from these threats.