Full Report
Researchers say some targets correlate with cities hit by Iranian missile strikes Suspected Iran-linked threat actors are conducting password-spraying attacks against hundreds of organizations, primarily Middle Eastern municipalities, in campaigns that security researchers believe may have been aimed at supporting bomb-damage assessment following missile strikes.…
Analysis Summary
# Threat Actor: Gray Sandstorm (Suspected)
## Attribution & Identity
* **Actor Identification:** Gray Sandstorm (formerly known as NEPTUNIUM).
* **Aliases:** Associated with Iranian state-linked clusters; sometimes linked to activities by "Handala Hack" (though the article distinguishes between specific campaigns).
* **Known Associations:** Attributed to Iran-linked threat actors by Check Point Research and Microsoft. The actor utilizes infrastructure previously seen in other suspected Iranian cyber operations in the Middle East.
## Activity Summary
Between early and late March (specifically March 3, 13, and 23), the actor conducted a high-volume password-spraying campaign targeting Microsoft 365 (M365) environments. The operation was notable for its correlation with physical events, specifically targeting organizations in cities recently hit by Iranian missile strikes. Researchers assess the campaign likely supported kinetic military operations and Bomb Damage Assessment (BDA) by infiltrating municipal organizational communications.
## Tactics, Techniques & Procedures
* **Password Spraying:** Systematic attempts to access numerous M365 accounts using common/weak passwords.
* **Anonymization & Evasion:**
* Use of frequently rotated **Tor exit nodes** to conduct the initial scanning/spraying phase.
* Masquerading User-Agent strings to appear as Internet Explorer 10 (`Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)`).
* **Geofencing Bypass:** Once credentials are stolen, the actor logs in via **VPN IPs geolocated in Israel** (exploiting local IP ranges) to bypass conditional access policies or geographic restrictions.
* **Data Exfiltration:** Accessing personal email communications and sensitive cloud-stored data.
* **MITRE ATT&CK IDs:**
* T1110.003 (Brute Force: Password Spraying)
* T1078 (Valid Accounts)
* T1592 (Gather Victim Network Information)
* T1090.003 (Proxy: Multi-hop Proxy - Tor)
## Targeting
* **Sectors:**
* **Primary:** Municipalities (Local government).
* **Secondary:** Technology (63 attempts), Transportation and Logistics (32), Healthcare (28), and Manufacturing (28).
* **Geography:**
* **Primary Focus:** Israel (300+ organizations) and United Arab Emirates (25+ organizations).
* **Limited Targeting:** United States, Europe, and Saudi Arabia.
* **Victims:** Specific municipal organizations in Israeli cities targeted by missile strikes.
## Tools & Infrastructure
* **Malware/Tools:** Red-team tools (unspecified) adapted for automated password spraying.
* **Infrastructure:**
* **Tor Exit Nodes:** Multiple rotating nodes.
* **VPN Providers:**
* Windscribe (Range: `185[.]191[.]204[.]X`)
* NordVPN (Range: `169[.]150[.]227[.]X`)
* **Hosting:** Commercial VPN nodes hosted at `AS35758` (Rachamim Aviel Twito).
## Implications
This campaign demonstrates the integration of cyber operations with kinetic military strategy. By targeting municipal bodies responsible for emergency response and infrastructure management, the actor seeks to gain real-time intelligence on the effectiveness of physical missile strikes (Bomb Damage Assessment). This shift suggests that Iranian cyber activity is increasingly being used as a direct support mechanism for traditional warfare and intelligence gathering during active conflicts.
## Mitigations
* **Multi-Factor Authentication (MFA):** Implementation of robust MFA (preferably FIDO2 or app-based push) is the most effective defense against password spraying.
* **Log Analysis:** Audit M365 logs for the specific IE10 User-Agent string mentioned and monitor for logins from known Tor exit nodes.
* **Geographic Filtering:** While the actor uses local VPNs, security teams should tighten "impossible travel" alerts and scrutinize logins from commercial VPN IP ranges (Windscribe/NordVPN) even if they originate from within the target country.
* **Password Policies:** Enforce strong, unique passwords and implement account lockout or progressive delays for repeated failed login attempts from a single source.