The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

An Iranian hacking group went on the offensive against U.S. targets, Microsoft says

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! Just when I think I’ve seen every amazing octopus video, I stumble across something like this. I will probably never catch up because octopuses are bound to come up with more cool stuff to do.

Reading this online? Sign up for The Cybersecurity 202 to get scoops and sharp analysis in your inbox each morning.

Below: The U.S. eavesdropped on a U.N. official, and ICE employees have reportedly been misusing agency data. First:

First in The Cybersecurity 202: Microsoft sees an Iranian hacking group shift toward possible destructive attacks

An Iranian government-linked hacking group previously known for its focus on reconnaissance has shifted to targeting U.S. critical infrastructure, potentially with the goal of launching destructive cyberattacks, Microsoft said in a report today.

The change in approach began in 2021 and coincided with a period when Iran suffered cyberattacks for which it blamed Israel and the United States, Microsoft noted.

Microsoft says the hackers are a subgroup of an outfit they’re calling Mint Sandstorm, stemming from a new naming system for hacking groups that the company is debuting today. It previously called the group Phosphorus, and other cybersecurity firms call it Charming Kitten, APT 35, APT 42 and TA453. 

“Mint Sandstorm is known for going after dissidents, activists, the defense industrial base,” John Lambert, who leads Microsoft’s consolidated intelligence and research teams for Microsoft Security, told me. “We saw a marked shift to U.S. critical infrastructure … where multiple seaports, transportation, the energy sector, were targeted for access.

“One assessment could be that this is pre-positioning for access to critical infrastructure in the United States, to be ready for some retaliatory action should the order be given,” he said.

Lambert said that Microsoft had seen successful intrusions from the group in multiple sectors. 

The backdrop

Microsoft sees a broader shift among Iranian hackers.

  • “This targeting also coincided with a broader increase in the pace and the scope of cyberattacks attributed to Iranian threat actors, including another Mint Sandstorm subgroup, that Microsoft observed beginning in September 2021,” the Microsoft report reads.
  • “The increased aggression of Iranian threat actors appeared to correlate with other moves by the Iranian regime under a new national security apparatus, suggesting such groups are less bounded in their operations,” the report states. “Given the hard line consensus among policymakers in Tehran and sanctions previously levied on Iran’s security organizations, Mint Sandstorm subgroups may be less constrained in carrying out malicious cyber activity.”

Security researchers have concluded that Mint Sandstorm is tied to the Islamic Revolutionary Guard Corps (IRGC). Iran has denied carrying out cyberattacks.

Other cyber firms have taken note of Mint Sandstorm’s increased aggression. Proofpoint said in December that the group had expanded its target list to include politicians, government officials and medical researchers. But Proofpoint also said that a sub-cluster of the group was acting in support of the IRGC’s murder-for-hire and kidnapping plots.

“TA453, like its fellow advanced persistent threat actors engaged in espionage, is in a constant state of flux regarding its tools, tactics, techniques, and targeting,” the Proofpoint report concluded. “Adjusting its approaches, likely in response to ever-changing and expanding priorities, the outlier campaigns are likely to continue and reflect IRGC intelligence-collection requirements, including possible support for hostile, and even kinetic, operations.”

Mint Sandstorm’s newfound aggressiveness overlapped with a series of actual or apparent cyberattacks in Iran. In 2020, cyber and intelligence officials believe Israel carried out an attack on an Iranian port facility, my colleagues Joby Warrick and Ellen Nakashima reported. In 2021, hackers breached and disrupted an Iranian rail network.

Perhaps most significantly, also in 2021, Iran’s civil defense chief blamed Israel and the United States as the likely parties behind an attack on Iran’s national fuel distribution system.

Additionally, the subgroup “displays more remarkable technical and operational sophistication” within Mint Sandstorm, Lambert said. Once a proof-of-concept for an exploit is published to demonstrate the use of a security flaw, the subgroup quickly weaponizes it, he said.

That kind of attack would give hackers “a very privileged position inside the target network, [and] typically would have elevated credentials right away,” he said, putting them in a position to do more harm.

The subgroup also has developed their own hacking tools, rather than relying on the tools of others, Microsoft says. That custom malware shows off the group’s “operational flexibility,” Lambert said.

Microsoft says the targeting of critical infrastructure continued through mid-2022, but since then the group seemingly has focused on volume of victims.

New names

Microsoft has historically named hacking groups after chemical elements on the periodic table. Now, it’ll use weather in a bid to provide more information in the names themselves. For instance, while Sandstorm will indicate an Iranian group, Blizzard will indicate Russia and Flood will indicate influence operations. The first part of the name will be a color or pattern.

In addition to the desire to provide more information in the names, Lambert said, Microsoft is responding to customers who have complained it’s hard to search the web for the old names. “If you search for Zinc, you might find sunscreen,” he said.

The keys

U.S. eavesdropped on U.N. secretary general, leaked documents show

The United States eavesdropped on U.N. Secretary General António Guterres’s exchanges with other U.N. officials, your Cybersecurity 202 host and our colleague Karen DeYoung report, citing four classified reports obtained by The Post. 

“The documents, two of which haven’t been previously reported, summarize intercepted conversations that shed new light on Guterres’s interactions with top U.N. officials and world leaders, including detailing what they describe as his ‘outrage’ over being denied a visit to a war-torn region in Ethiopia and frustrations toward Ukrainian President Volodymyr Zelensky,” the report says.

The documents indicate that the eavesdropping operation was enabled by the Foreign Intelligence Surveillance Act, portions of which are facing reauthorization pushback in Congress amid a year-end expiry deadline.

“The documents are part of trove of national security reports, allegedly leaked onto the online messaging platform Discord by a member of the Massachusetts Air National Guard, that have revealed secrets about everything from gaps in Ukrainian air defenses to the specifics of how the United States spies on its allies and partners,” we wrote.

U.S. accuses dozens of Chinese police officers of carrying out social media harassment and propaganda campaigns

Federal law enforcement officials have charged 34 officers in China’s national police force who used fake social media accounts to harass Chinese dissidents and spread propaganda abroad, our colleagues Perry Stein and Joseph Menn report. Ten others were also charged with “targeting and intimidating users of a U.S. technology platform, including critics of the Chinese regime,” they write.

Previous charges and names listed link that platform to Zoom Video Communications, they write. Law enforcement also arrested two New York residents for allegedly running a secret Manhattan-based police station used to intimidate a Chinese dissident in California, Perry and Joseph report.

“The allegations you just heard pull back the curtain on the [People Republic of China’s] audacious and illegal attempts to harass dissidents and stifle free speech in our country,” Breon Peace, U.S. attorney for the Eastern District of New York, said at a news conference. 

More than 100 clandestine China-linked police operations have been set up to harass Chinese dissidents abroad, according to October findings from human rights organization Safeguard Defenders. 

ICE agents and contractors abused access to agency data, records reveal

Hundreds of U.S. Immigration and Customs Enforcement (ICE) employees have been investigated by the agency since 2016 for allegedly abusing confidential law enforcement data, Dhruv Mehrotra reports for WIRED, citing an agency disciplinary database obtained through a public records request.

The documents show that “ICE investigators found that the organization’s agents likely queried sensitive databases on behalf of their friends and neighbors,” Mehrotra writes, adding that some agents were investigated for looking up information about ex-partners and some agents shared login information with unauthorized individuals like family members.

Half of the 414 investigative incidents that were documented since 2016 led to Office of Professional Relations investigations, Mehrotra reports. Around a quarter of those incidents were “substantiated” or “referred to management,” according to the report.

“ICE did not respond to requests for comment in time for publication,” Mehrotra writes.

Global cyberspace

Greek opposition asks if government exported ‘Predator’ to Sudan (Euractiv)

Capita investigates authenticity of ransomware gang leaks (The Record)

Dutch intel agency paints grim picture of multiple threats (The Associated Press)

Cybersecurity nightmare in Japan is everyone else’s problem too (Bloomberg News)

Cyber insecurity

NSO hacked iPhones without user clicks in 3 new ways, researchers say (Joseph Menn)

Hackers publish sensitive employee data stolen during CommScope ransomware attack (TechCrunch)

Ex-Conti members and FIN7 devs team up to push new Domino malware (Bleeping Computer)

Industry report

Cyber venture capital funding slows to a trickle, a sharp decline from 2022 investment (Cybersecurity Dive)

Insurers wary of longer-term costs of cyberattacks (WSJ Pro Cybersecurity)

Nintendo ‘hacker’ Gary Bowser released from federal prison (TorrentFreak)

Encryption wars

Crooks’ mistaken bet on encrypted phones (The New Yorker)

On the move

  • Dr. Adam Segal has joined the State Department’s Bureau of Cyberspace and Digital Policy (CDP) to lead the development of an International Cyberspace and Digital Policy Strategy, a State Department spokesperson tells us. Segal was formerly with the Council on Foreign Relations.


  • DHS Secretary Alejandro Mayorkas testifies to the Senate Homeland Security and Governmental Affairs Committee about the agency’s fiscal 2024 budget request at 10 a.m.
  • The Center for Strategic and International Studies convenes a report launch event titled “Report Launch: Seven Critical Technologies for Winning the Next War” at 10:30 a.m.
  • The U.S. Election Assistance Commission’s Standards Board will host a two-day in-person public meeting in Arizona beginning today at 11 a.m.

Secure log off

Thanks for reading. See you tomorrow.