Peach Sandstorm’s Multi-Faceted Attacks on Satellite, Defense, and Pharma Sectors
- Actor Motivations: Espionage,Exfiltration
- Attack Vectors: Brute-force,Compromised Credentials,Vulnerability Exploitation
- Attack Complexity: High
- Threat Risk: High Impact/High Probability
Threat Overview
Peach Sandstorm, an Iranian threat actor, has conducted password spray attacks since February 2023 against global organizations, notably in the satellite, defense, and pharmaceutical sectors. These attacks originated from TOR IPs and employed a mix of public and custom tools like AzureHound and Roadtools for reconnaissance. Once inside the network, the group established persistence through mechanisms like Azure subscriptions and Azure Arc. They also attempted to exploit vulnerabilities in Zoho ManageEngine and Confluence. Some instances involved data exfiltration and lateral movement using techniques like Golden SAML and remote desktop protocol (RDP).
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Sector | Defense | Verified |
| Sector | Pharmaceuticals | Verified |
| Sector | Aerospace | Verified |
Extracted IOCs
- 102[.]129.215.40
- 108[.]62.118.240
- 192[.]52.166.76
- 76[.]8.60.64
Tip: 4 related IOCs (4 IP, 0 domain, 0 URL, 0 email, 0 file hash) to this threat have been found.