Microsoft Reveals Iran Hacking Campaign Targeting Mideast Experts
Microsoft has revealed that "high-profile" experts specializing in Middle Eastern affairs are under attack from hackers believed to be linked to the Iranian government.
Microsoft has revealed that "high-profile" experts specializing in Middle Eastern affairs are under attack from hackers believed to be linked to the Iranian government.
The entities under attack were located in Belgium, France, Gaza, Israel, the United Kingdom, and the United States.
The Microsoft Threat Intelligence team, in a recent blog post, outlined that since November, a faction of the hacking group Mint Sandstorm has utilized "customized phishing lures to socially engineer targets into downloading malicious files."
The report notes the application of new tools in observed incidents. According to Microsoft, the operators in the Mint Sandstorm subgroup exhibit highly skilled social engineering capabilities, lacking many typical hallmarks that users rely on to identify phishing emails. In some instances, the subgroup used compromised but legitimate accounts to disseminate phishing lures.
Microsoft's findings indicate a correlation between the recent campaign and the ongoing conflict in Gaza, with phishing lures referencing the Israel-Hamas war. The objective is to gather diverse internal perspectives on the conflict.
Mint Sandstorm, also known as APT35 or Charming Kitten, is associated with the Islamic Revolutionary Guard Corps (IRGC), an intelligence arm of Iran's military. The campaign primarily targets people with access to information crucial to Tehran's leadership.
Prior instances involve the group targeting journalists, researchers, professors, and others with resource-intensive social engineering campaigns. Some cases featured legitimate yet compromised email accounts belonging to the impersonated victims.
Initial emails in some instances lacked malicious content as hackers aimed to establish relationships with their targets before initiating espionage processes.
On the evening of January 16, Iran's Revolutionary Guards (IRGC) launched a missile and drone attack on two alleged Jaish al-Adl bases in Pakistan’s Balochistan Province. Pakistan recalled its ambassador from Tehran and retaliated two days later by conducting airstrikes inside Iranian borders against “terrorists”.
The crisis, which now seems to have been somehow managed by both sides, was unprecedented in the four-decade history of the two Islamic republics' relations because Pakistan had never before taken such military action inside Iranian borders.
Iranian officials have on several occasions in the past decade, including in 2019, complained that Islamabad has taken no action against the members of Jaish al-Adl finding refuge in its territory despite Iran's provision of relevant information including locations of the militants’ hideouts.
The group currently led by Salahuddin Farooqui who is known for his opposition to Iran's support for Bashar al-Assad in the Syrian civil war, fights for an independent Baluchestan consisting of Baluch people on both sides of the Iran-Pakistan border. The militants call Farooqui their “Emir” and “Leader of Baluchestan/Balochistan Jihad”.
It is hard to say to what extent the group has support within the more than two-million strong Baluch population in Iran, which is the most oppressed and poverty stricken in the country. However, ordinary Baluch seem to be loyal to a charismatic Sunni cleric, Mowlavi Abdolhamid, regularly heeding his calls for peaceful protests against Iran’s Shiite government.
Jaish al-Adl has carried out dozens of large and small operations over the years against Iranian military forces, particularly the IRGC, including cross-border attacks and abduction of border guards and security personnel as well as bombings leading to the killing of civilians.
In a statement on its website (Shabake Adl) on January 16, Jaish al-Adl claimed targeting an IRGC vehicle carrying officers near the city of Iranshahr in Iran's restive Sistan and Baluchestan Province. The statement did not mention any casualties. Two days earlier the group had taken responsibility for an attack on an IRGC base in Saravan and claimed a sentry had been shot. The guards responded to the attack by “shooting aimlessly in various directions”, the group claimed.
Jaish al-Adl has been designated as a terrorist organization by Iran, whose officials often refer to it as Jaish al-Zulm (Army of Injustice) and “Takfiri terrorists.” The United States put the group on its foreign terrorist organizations list in 2010.
Iranian officials often allege that the group has ties with US, Saudi, and Israeli intelligence agencies and is funded by them.
Jaish al-Adl was founded by Abdul Rahim Mollazehi, a Baluch militant, in 2012 by reorganizing Jundullah (Army of God), also known as the People’s Resistance of Iran.
A few months after its emergence, on October 25, 2013, the group ambushed border patrols in Saravan in retaliation for the death sentences passed on 16 Baluch prisoners. Fourteen military personnel were killed, and seven others were seriously injured in the attack. Assailants, Iranian authorities said, fled to Pakistan’s tribal areas after the attack. Iran hanged all the sixteen prisoners the next day, claiming they were affiliated to Jaish al-Adl and other militant groups.
Jundullah, founded by Abdolmalek Rigi in 2002, operated in Iran's Sistan and Baluchestan Province and the adjoining Baluch-majority areas of Pakistan and Afghanistan and mainly demanded justice for the Sunni Baluchi population, and was not an overtly separatist group. Rigi said he considered himself as an Iranian citizen.
The militant group claimed responsibility for several bombings and assassinations such as the killing of 42 including five senior Revolutionary Guards commanders in Pisheen in 2009 but lost much of its power and influence in the region after Iran captured and executed Rigi in 2010. In 2013, Jundullah also claimed responsibility for bombing a church in Peshawar, Pakistan, in 2013 which killed 85.
Iranian authorities claimed that they had forced a commercial airliner flying from Dubai to Bishkek in Kyrgyzstan to land at Bandar Abbas International Airport based on intelligence indicating Rigi was onboard the plane with a forged Afghan passport. They also claimed Rigi had confessed to being in a US military base a day before his arrest.
The state TV showed Rigi being taken by masked commandos from the plane but there were also reports of him having been handed over to Iran by Pakistan and that Iran's claims were only a cover-up of Pakistan’s delivery of Rigi to them.
