HomeWinBuzzer NewsMicrosoft Identifies FalseFont Backdoor Targeting Defense Sector

Microsoft Identifies FalseFont Backdoor Targeting Defense Sector

Iran's Peach Sandstorm unleashes new FalseFont malware, targeting US defense industry (DIB) with espionage potential.


has identified and exposed a new wave of cyber-espionage activities, where the Iranian-backed APT group, colloquially known as Peach Sandstorm, has been leveraging a sophisticated malware strain named FalseFont. This custom backdoor provides remote access to the compromised systems of organizations within the Defense Industrial Base (DIB) sector, which encompasses over 100,000 defense companies and subcontractors globally.

Malware Mechanics

FalseFont enables the attackers to execute files and transfer data to and from their command-and-control (C2) servers. The remote access facilitated by this malware could potentially create substantial security risks and for the targeted entities. Microsoft's team first detected FalseFont's activities around early November of 2023, and notes that the malware's deployment is in line with Peach Sandstorm's efforts to refine their intrusion techniques.

Threat Evolution

The APT group responsible – also known as HOLMIUM, Refined Kitten, and by their operational code, APT33 – has displayed a pattern of consistent efforts in pursuit of espionage and theft of sensitive data within the United States, Saudi Arabia, and South Korea. They have extensively targeted various sectors, including government, defense, research, finance, and engineering.

Microsoft underscores that network defenses should be reinforced by resetting credentials for any accounts subjected to suspected password spray attacks, one of the common tactics used by the . Moreover, the implementation of multi-factor authentication (MFA) for RDP or Windows Virtual Desktop endpoints is strongly encouraged to enhance account security and reduce vulnerabilities.

The recent campaign, elucidated by Microsoft's warnings, indicates a broader, more targeted approach by Peach Sandstorm, with continuous password spray attacks observed since February 2023, emphasizing their particular interest in the U.S. satellite, defense, and, albeit to a lesser extent, pharmaceutical sectors. The incursions by this actor have resulted in restricted data exfiltration from a limited number of victims across the mentioned industries.

In the broader context of cyberthreats to international defense agencies and contractors, this is not an isolated threat landscape. Various other nation-state actors, including those from , North Korea, and , have also been implicated in high-profile against global defense targets, underlining the ongoing and evolving nature of cyber warfare.

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.