Microsoft has reported that an Iranian cyber espionage group, tracked as Peach Sandstorm but also known as Holmium, APT33, or Elfin, successfully compromised numerous entities and exfiltrated data from some of them as part of a campaign targeting organizations in the satellite, defense, and pharmaceutical sectors. The attack involved a high volume of password spray attacks, where attackers try one known password against a list of usernames. The campaign began in February and targeted thousands of organizations. Microsoft did not disclose the location of the targeted organizations but noted that previous activity from Peach Sandstorm occurred during periods of tension between the US and Iran.

The recent hacking activity used password spray attacks between February and July this year. Once the hackers gained access, they utilized stealthier and more advanced methods, which indicates an increase in capability compared to past activity from Peach Sandstorm. Researchers identified two pathways into targeted organizations. The first was via password spray attacks, which occurred primarily between 9 a.m. and 5 p.m. Iran Standard Time. The second pathway involved exploiting vulnerabilities in Zoho ManageEngine products and the Confluence Server and Data Center.

This report comes at a time when there is an ongoing negotiation between the US and Iranian governments regarding the release of detained citizens and the transfer of frozen Iranian oil funds.