Notorious Iranian Hackers Have Been Targeting the Space Industry With a New Backdoor

The Iranian government-backed hacking group known as APT 33 has been active for more than 10 years, conducting aggressive espionage operations against a diverse array of public and private sector victims around the world, including critical infrastructure targets. The backdoor, which Microsoft named “Tickler” for some reason, infects a target after the hacking group gains initial access via password spraying or social engineering. The researchers observed Peach Sandstorm deploying Tickler and then manipulating victim Azure cloud infrastructure using the hackers’ Azure subscriptions to gain full control of target systems. Since February 2023, the researchers say they have observed the hackers “carrying out password spray activity against thousands of organizations.” And in April and May 2024, Microsoft observed Peach Sandstorm using password spraying to target United States and Australian organizations that are in the space, defense, government, and education, sectors. “Peach Sandstorm also continued conducting password spray attacks against the educational sector for infrastructure procurement and against the satellite, government, and defense sectors as primary targets for intelligence collection,” Microsoft wrote.