American critical infrastructure, including seaports, energy businesses, and utilities, have been affected by various attacks between the latter part of 2021 and the middle of 2022.
The Microsoft Threat Intelligence team has attributed these attacks to a group called Mint Sandstorm, which is supported by the Iranian government.
Mint Sandstorm is technically proficient and can create custom tools to exploit previously unknown vulnerabilities swiftly. The group has also shown operational flexibility that aligns with Iran’s national objectives. The attacks are believed to be in retaliation for the assaults on the rail, maritime, and gas station systems in 2020-2021, which Iran claimed were orchestrated by the United States and Israel to incite unrest in the nation.
To acquire initial access and establish persistence quickly, the group used the rapid inclusion of publicly accessible Proof of Concept (PoC) web application vulnerabilities, such as CVE-2022-47966 and CVE-2022-47986, into their scripts. Once access is obtained, the group deploys one of two attack chains.
In the first attack chain, several PowerShell scripts are used to connect to a remote server, steal Active Directory databases, and then disconnect from the server. The second attack chain employs Impacket to connect to a C2 server and distribute a sophisticated backdoor named “Drokbk and Soldier,” a multi-stage .NET-based backdoor with download and launch tools and self-delete capabilities.
Experts have identified the Nemesis Kitten group, a subcluster of Mint Sandstorm, as responsible for the Drokbk backdoor. The group includes Cobalt Mirage, TunnelVision, and UNC2448. Secureworks published a detailed analysis of the Drokbk backdoor in December 2022.
According to Microsoft, the Mint Sandstorm group’s capabilities are a significant concern because the group’s operators can cover their tracks while communicating with the C2 server, remain active on a compromised system, and deploy a wide range of post-compromise tools covertly.