Microsoft has identified and exposed a new wave of cyber-espionage activities, where the Iranian-backed APT group, colloquially known as Peach Sandstorm, has been leveraging a sophisticated malware strain named FalseFont. This custom backdoor provides remote access to the compromised systems of organizations within the Defense Industrial Base (DIB) sector, which encompasses over 100,000 defense companies and subcontractors globally.
Malware Mechanics
FalseFont enables the attackers to execute files and transfer data to and from their command-and-control (C2) servers. The remote access facilitated by this malware could potentially create substantial security risks and data breaches for the targeted entities. Microsoft's cybersecurity team first detected FalseFont's activities around early November of 2023, and notes that the malware's deployment is in line with Peach Sandstorm's efforts to refine their intrusion techniques.
Threat Evolution
The APT group responsible – also known as HOLMIUM, Refined Kitten, and by their operational code, APT33 – has displayed a pattern of consistent efforts in pursuit of espionage and theft of sensitive data within the United States, Saudi Arabia, and South Korea. They have extensively targeted various sectors, including government, defense, research, finance, and engineering.
The development and use of FalseFont is consistent with Peach Sandstorm activity observed by Microsoft over the past year, suggesting that Peach Sandstorm is continuing to improve their tradecraft.
— Microsoft Threat Intelligence (@MsftSecIntel) December 21, 2023
Microsoft underscores that network defenses should be reinforced by resetting credentials for any accounts subjected to suspected password spray attacks, one of the common tactics used by the hackers. Moreover, the implementation of multi-factor authentication (MFA) for RDP or Windows Virtual Desktop endpoints is strongly encouraged to enhance account security and reduce vulnerabilities.
The recent campaign, elucidated by Microsoft's warnings, indicates a broader, more targeted approach by Peach Sandstorm, with continuous password spray attacks observed since February 2023, emphasizing their particular interest in the U.S. satellite, defense, and, albeit to a lesser extent, pharmaceutical sectors. The incursions by this actor have resulted in restricted data exfiltration from a limited number of victims across the mentioned industries.
In the broader context of cyberthreats to international defense agencies and contractors, this is not an isolated threat landscape. Various other nation-state actors, including those from Russia, North Korea, and China, have also been implicated in high-profile cyberattacks against global defense targets, underlining the ongoing and evolving nature of cyber warfare.
