Since February 2023, APT35, a notorious Iranian-backed threat actor, has been intensifying its cyber operations with a series of global password spray attacks. These attacks represent a strategic shift in the group’s focus, targeting vital sectors and expanding their geographical scope.
Scope and Targets of the Campaign
The campaign, as reported by Microsoft researchers, primarily targets sectors such as satellite, defense, and pharmaceuticals, with a heightened focus on organizations in the United States, Saudi Arabia, and South Korea. These attacks demonstrate APT35’s adaptability and determination to infiltrate high-value targets across different industries.
Password spraying differs from traditional brute-force attacks by using a few commonly used passwords against a large number of accounts, thereby minimizing the chances of detection. This technique allows APT35 to maximize attack success while reducing the likelihood of triggering security alerts. The group’s strategic use of both publicly available and custom tools in these attacks exemplifies their evolving tactics and resourcefulness.
MITRE ATT&CK TTPs
APT35’s password spray attacks align with several tactics and techniques listed in the MITRE ATT&CK framework, including:
- Valid Accounts (T1078)
- Brute Force (T1110)
- Credential Dumping (T1003)
- Exploitation for Client Execution (T1203)
APT35’s campaign also involved attempts to exploit known vulnerabilities, including:
- CVE-2022-47966 – A remote code execution flaw in Zoho ManageEngine.
- CVE-2022-26134 – A remote code execution flaw in Confluence Server and Data Center.
Organizations are encouraged to implement multi-factor authentication, regularly update passwords, and educate employees on secure password practices. Monitoring network traffic for anomalies and employing advanced threat detection tools are also crucial in identifying and mitigating such sophisticated attacks.
APT35’s password spray campaign highlights the group’s continuous evolution and the expanding complexity of cyber threats. Organizations must maintain heightened vigilance and robust cybersecurity measures to protect against these sophisticated and dynamic threats.
- Microsoft Security Blog
- Ankura CTIX FLASH Update – September 19, 2023
- MITRE ATT&CK profile for APT35
- Cybersecurity and Infrastructure Security Agency (CISA) Alerts