Iranian threat group Mint Sandstorm targets high-profile Middle East researchers

Threat actor Mint Sandstorm, believed to be linked to Iran, has been observed using bespoke phishing lures to attack high-profile targets while leveraging a new custom backdoor called MediaPI.

In a Jan. 17 blog post, Microsoft Threat Intelligence said the attacks were on individuals working at a high level on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the United Kingdom, and the United States.

The Microsoft researchers said Mint Sandstorm — also known as APT35 and APT42 — used legitimate, yet compromised accounts to send phishing lures. The researchers said Mint Sandstorm continues to improve and modify the tooling used in targets’ environments, activity that might help the group persist in a compromised environment and better evade detection.

“Based on the identities of the targets observed in this campaign and the use of lures related to the Israel-Hamas war, it’s possible this campaign is an attempt to gather perspectives on events related to the war from individuals across the ideological spectrum,” wrote the researchers.

Mint Sandstorm operates as a state-sponsored actor from Iran and, as a result, serves government agency and potential military objectives, explained Balazs Greksza, threat response lead at Ontinue. Greksza said the group employs tactics such as watering hole attacks and phishing emails, to target governments, NGOs, private entities, and academia for espionage. They often pose as journalists, government officials, or academics on social media and their primary objective is to get hold of sensitive information.

“Actors like APT35 have primary goals around geopolitics, national security, counter-intelligence,” said Greksza. “As openly shared by different intelligence agencies in the past, intelligence goals may shift rapidly based on the needs of national interests, current political and military leadership and their decision and intelligence needs.”

Ngoc Bui, cybersecurity expert at Menlo Security, added that the deployment of the custom backdoor MediaPI, along with the use of other tools like MischiefTut, indicates a shift in the operational tactics of Mint Sandstorm, marking an evolution in their cyber espionage capabilities.

Bui outlined four potential dangers from Mint Sandstorm security teams should watch for:

Cross-sector infiltration

While the current focus is on universities and research organizations specializing in Middle Eastern issues, the adaptability and sophistication of such groups could let them pivot towards other sectors. This could include critical infrastructure, government agencies, or corporations, especially if their interests align with the geopolitical goals of the sponsoring state.

Intellectual property theft and espionage

The targeting of research institutions raises significant concerns about intellectual property theft and espionage. This can lead to a loss of competitive advantage for nations and organizations, and in some cases, might compromise national security.

Trust erosion in digital communications

The tactics employed, such as leveraging compromised, legitimate accounts and establishing trust through initial non-malicious communications, contribute to a broader erosion of trust in digital communications. This can have far-reaching implications for how organizations approach digital security and communication.

Expansion of cyber conflict

The involvement of a state-backed group in such campaigns can potentially escalate into broader cyber conflicts, especially if targeted entities are of significant geopolitical interest.

“Regarding the motivation of Mint Sandstorm, while financial gain is a common driver in many cyberattacks, the nature and targets of this campaign suggest a primary interest in espionage and intelligence gathering, likely aligned with the geopolitical interests of Iran,” said Bui. “The focus on high-profile individuals and specific research areas indicates a strategic approach geared more towards gathering intelligence and exerting influence rather than direct financial exploitation.”