Threats Feed|Mint Sandstorm|Last Updated 05/08/2023|AuthorCertfa Radar|Publish Date18/04/2023

Mint Sandstorm Subgroup Targets US Critical Infrastructure

  • Actor Motivations: Espionage,Exfiltration,Sabotage
  • Attack Vectors: Vulnerability Exploitation,Backdoor,Dropper,Spear Phishing
  • Attack Complexity: High
  • Threat Risk: High Impact/High Probability

Threat Overview

The report details the Mint Sandstorm subgroup's cyberattacks targeting US critical infrastructure, including seaports, energy companies, transit systems, and a major utility and gas entity. The group rapidly adopted publicly disclosed proof-of-concept (POC) code to exploit vulnerabilities in internet-facing applications. The attacks also involved custom tools and implants, lateral movement, and persistence techniques. The phishing campaigns targeted individuals affiliated with think tanks and universities in Israel, North America, and Europe. The targeted sectors include transportation, energy, utilities, policy, security, and academia.

Detected Targets

TypeDescriptionConfidence
SectorLogistics
Verified
SectorPro-Democracy
High
SectorEnergy
High
SectorOil and Gas
Verified
SectorPolitical
High
SectorUtilities
Verified
RegionIsrael
Verified
RegionUnited States
Verified
RegionEuropean Countries
High

Extracted IOCs

  • 0onlyastep0[.]xyz
  • 0readerazone0[.]xyz
  • 0tryamore0[.]xyz
  • dns-iprecords[.]tk
  • oracle-java[.]cf
  • sync-system-time[.]cf
  • universityofmhealth[.]biz
  • update-windows-security[.]tk
  • 3dcdb0ffebc5ce6691da3d0159b5e811c7aa91f6d8fc204963d2944225b0119d
  • 444075183ff6cae52ab5b93299eb9841dcd8b0321e3a90fb29260dc12133b6a2
  • 57cc5e44fd84d98942c45799f367db78adc36a5424b7f8d9319346f945f64a72
  • 65e48f63f455c94d3bf681acaf115caa6e1e60499362add49ca614458bbc4f85
  • ad55b4a40f9e52682d9d4f069914e09c941e8b77ca7b615e9deffccdfbc54145
  • 51[.]89.135.15
  • 51[.]89.169.201
  • 51[.]89.187.222
  • 54[.]39.202.0
download

Tip: 17 related IOCs (4 IP, 8 domain, 0 URL, 0 email, 5 file hash) to this threat have been found.

Overlaps

Cobalt MirageDrokbk Malware: A Tool for COBALT MIRAGE's Cyber Arsenal

Source: Secureworks - December 2022

Detection (three cases): dns-iprecords[.]tk, oracle-java[.]cf, universityofmhealth[.]biz

Yellow GarudaYellow Garuda's New Arsenal: Telegram 'Grabber' Tool and Android Malware in Focus

Source: PWC - July 2022

Detection (one case): 57cc5e44fd84d98942c45799f367db78adc36a5424b7f8d9319346f945f64a72

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

About Affiliation
Mint Sandstorm