Iranian government-backed threat actor “MuddyWater” targets critical infrastructure in the US

A recent report by Microsoft sheds light on the activities of an Iranian government-backed threat actor known as “Mint Sandstorm.” The group has been identified as being responsible for a series of attacks aimed at critical infrastructure in the US between late 2021 and mid-2022. In this article, we will provide an overview of the threats posed by Mint Sandstorm, the tactics employed by the group, the targets, and the potential consequences of its activities.

Background information on Mint Sandstorm

Mint Sandstorm is the new name assigned to the threat actor previously tracked by Microsoft under the name Phosphorus. According to the company, Mint Sandstorm is associated with the Islamic Revolutionary Guard Corps (IRGC), rather than the Ministry of Intelligence and Security (MOIS). This distinction is important as it suggests that Mint Sandstorm is potentially even more dangerous than previous Iranian-backed threat actors.

Targeted entities

The targets of Mint Sandstorm include a diverse range of critical infrastructure organizations such as seaports, energy companies, transit systems, and a major US utility and gas company. The selection of these targets highlights the importance of these entities to the functioning of society and the potential consequences of a successful attack.

Tactics used by Mint Sandstorm

Mint Sandstorm employs highly-targeted phishing campaigns as a way of gaining initial access to its targets. Once a breach is achieved, the group makes use of two attack chains to further infiltrate the targeted environment. The first chain involves the deployment of a custom PowerShell script, which provides a backdoor for the group’s activities. The second chain uses Impacket to connect to an actor-controlled server and deploy a bespoke implant called Drokbk and Soldier. Finally, Microsoft has highlighted Mint Sandstorm’s use of a modular backdoor called CharmPower as a further indication of the group’s capabilities.

Regarding the capabilities of Mint Sandstorm

The capabilities demonstrated by Mint Sandstorm are particularly concerning due to their potential to conceal communication with command and control servers, persist in a compromised system, and deploy a range of post-compromise tools with varying capabilities. These capabilities mean that Mint Sandstorm has the potential to cause widespread and long-lasting damage.

Iran has accused the US and Israel of masterminding attacks on gas stations in the country as part of a broader campaign aimed at creating unrest in Iran. While there is no direct evidence pointing to the involvement of the US and Israel in these attacks, it is worth noting the political implications of Iran’s accusations.

The threat actor known as “The Mint Sandstorm” and its attacks on critical infrastructure in the US are concerning developments in the world of cybersecurity. The potential consequences of such attacks cannot be overstated, and preventive measures must be taken. As this article has shown, Mint Sandstorm employs advanced tactics and tools to gain access to targeted environments, making it an especially dangerous adversary. The importance of greater cybersecurity measures in critical infrastructure industries is evident, and the advancement of new technologies and safeguards must continue if we are to prevent a potential disaster.

Explore more

Aflac Japan Data Breach Impacts 4.4 Million Customers

Dominic Jainy is a veteran in the tech space, navigating the complex intersection of cybersecurity and artificial intelligence. With years of experience protecting high-stakes data through machine learning and blockchain, he offers a unique vantage point on why even the biggest insurance titans remain vulnerable to sophisticated extortion groups. Today, we delve into the recent security catastrophe at Aflac Japan,

Power Availability Dictates EMEA Data Center Growth

The unrelenting expansion of high-performance computing and artificial intelligence workloads across the European, Middle Eastern, and African markets has transformed energy procurement into the primary competitive differentiator for infrastructure developers today. While geographic proximity to end-users remains a relevant factor, the sheer scale of current deployments necessitates a pivot toward regions where the electrical grid can support multi-hundred megawatt campuses

How Does ARToken Bypass Microsoft 365 MFA?

A typical office worker receives a routine notification from what appears to be a legitimate SharePoint site, asking for a quick verification code to view a shared document. This seemingly harmless request arrives as an alphanumeric code on a professional Microsoft page, inviting the user to “verify” an identity. Because the interaction occurs entirely within official Microsoft domains, the employee

Is Your Oracle EBS Data Safe From Active Cyber Attacks?

Introduction Enterprise resource planning systems serve as the digital backbone of global commerce, yet hundreds of these critical platforms currently sit exposed to predatory actors on the open internet. Recent data reveals that nearly 950 Oracle E-Business Suite instances are directly reachable via the web, bypassing traditional security perimeters. This exposure coincides with the active exploitation of vulnerabilities that grant

Trend Analysis: AsyncRAT DLL Sideloading Tactics

In the modern cybersecurity landscape, “trust” has become a weapon, as threat actors increasingly hide malicious payloads within the very tools IT professionals use to secure their networks. The resurgence of AsyncRAT through sophisticated DLL sideloading and search engine optimization (SEO) poisoning represents a critical shift from traditional, easily filtered phishing to high-visibility, “living-off-the-land” attacks that bypass conventional perimeters. This