Iranian government-backed threat actor “MuddyWater” targets critical infrastructure in the US

A recent report by Microsoft sheds light on the activities of an Iranian government-backed threat actor known as “Mint Sandstorm.” The group has been identified as being responsible for a series of attacks aimed at critical infrastructure in the US between late 2021 and mid-2022. In this article, we will provide an overview of the threats posed by Mint Sandstorm, the tactics employed by the group, the targets, and the potential consequences of its activities.

Background information on Mint Sandstorm

Mint Sandstorm is the new name assigned to the threat actor previously tracked by Microsoft under the name Phosphorus. According to the company, Mint Sandstorm is associated with the Islamic Revolutionary Guard Corps (IRGC), rather than the Ministry of Intelligence and Security (MOIS). This distinction is important as it suggests that Mint Sandstorm is potentially even more dangerous than previous Iranian-backed threat actors.

Targeted entities

The targets of Mint Sandstorm include a diverse range of critical infrastructure organizations such as seaports, energy companies, transit systems, and a major US utility and gas company. The selection of these targets highlights the importance of these entities to the functioning of society and the potential consequences of a successful attack.

Tactics used by Mint Sandstorm

Mint Sandstorm employs highly-targeted phishing campaigns as a way of gaining initial access to its targets. Once a breach is achieved, the group makes use of two attack chains to further infiltrate the targeted environment. The first chain involves the deployment of a custom PowerShell script, which provides a backdoor for the group’s activities. The second chain uses Impacket to connect to an actor-controlled server and deploy a bespoke implant called Drokbk and Soldier. Finally, Microsoft has highlighted Mint Sandstorm’s use of a modular backdoor called CharmPower as a further indication of the group’s capabilities.

Regarding the capabilities of Mint Sandstorm

The capabilities demonstrated by Mint Sandstorm are particularly concerning due to their potential to conceal communication with command and control servers, persist in a compromised system, and deploy a range of post-compromise tools with varying capabilities. These capabilities mean that Mint Sandstorm has the potential to cause widespread and long-lasting damage.

Iran has accused the US and Israel of masterminding attacks on gas stations in the country as part of a broader campaign aimed at creating unrest in Iran. While there is no direct evidence pointing to the involvement of the US and Israel in these attacks, it is worth noting the political implications of Iran’s accusations.

The threat actor known as “The Mint Sandstorm” and its attacks on critical infrastructure in the US are concerning developments in the world of cybersecurity. The potential consequences of such attacks cannot be overstated, and preventive measures must be taken. As this article has shown, Mint Sandstorm employs advanced tactics and tools to gain access to targeted environments, making it an especially dangerous adversary. The importance of greater cybersecurity measures in critical infrastructure industries is evident, and the advancement of new technologies and safeguards must continue if we are to prevent a potential disaster.

Explore more