Report 4908

The US and Israel have warned that the Iranian state-sponsored threat actor Cotton Sandstorm is deploying new tradecraft to target networks, including leveraging generative AI tools.

The joint advisory highlighted how the group, also known as Marnanbridge and Haywire Kitten, has recently shifted from ‘hack and leak’ operations against organizations primarily in Israel to a broader range of attacks impacting numerous countries, including Israel, France, Sweden and the US.

This includes actively scouting US election-related websites and media outlets, suggesting it is preparing to conduct more direct influence operations as the Presidential Election Day approaches.

The group has conducted multiple cyber operations targeting the 2024 Paris Olympics, including the compromise of a French commercial dynamic display provider, and has undertaken a project to harvest content from IP cameras.

The authoring agencies added that since April 2024, Cotton Sandstorm has used the online persona “Cyber Court” to promote the activities of several purported hacktivist groups conducting malicious activity against various countries as a means of protesting the Israel-Hamas conflict.

The FBI said it has reliable information that since mid-2024, Cotton Sandstorm has been operating under the company name Aria Sepehr Ayandehsazan (ASA) as a nominal cover, including for human resources and financial-related purposes.

Microsoft’s Digital Defense Report 2024 highlighted Cotton Sandstorm as part of the Islamic Revolutionary Guard Corps (IRGC), which conducts offensive cyber operations on behalf of Tehran.

Cotton Sandstorm’s New Tradecraft

The advisory highlighted several new tactics, techniques and procedures (TTPs) that Cotton Sandstorm has been observed using. These include:

• New infrastructure tradecraft. Since mid-2023, the group has used several hosting providers for infrastructure management and obfuscation – “Server-Speed” and “VPS-Agent.” It has set up its own resellers and procured server space from Europe-based providers, and these cover resellers are then used to provision operational servers for cyber actors to conduct malicious activities. For example, these cover re-sellers have been used to provide technical support to identified Lebanon-based individuals to host Hamas-affiliated websites.
• Harvesting of open-source information. Following the October 7, 2023 Hamas attack on Israel, Cotton Sandstorm has attempted to identify information concerning Israeli fighter pilots and UAV operators by searching for information across numerous platforms including Pastebin and LinkedIn. It also uses online resources such as ancestry.com and familysearch.org in its operations, and searches for information via previously leaked data sets.
• Incorporation of AI. The agencies said the group was observed incorporating generative AI in its messaging efforts during an operation called “For-Humanity.” This cyber-enabled influence operation in December 2023 impacted a US-based Internet Protocol Television (IPTV) streaming company. This attack leveraged unauthorized access to IPTV streaming services to disseminate crafted messaging pertaining to the Israel-Hamas military conflict.

The agencies added that Cotton Sandstorm continues to undertake significant reconnaissance, initial access, persistence and credential access as part of its operations.

Defending Against Cotton Sandstorm Attacks

The agencies set out a range of mitigation measures organizations should take in relation to Cotton Sandstorm’s tactics. These include:

• Reviewing any successful authentications to your network or company accounts from Virtual Private Network services such as Private Internet Access, Windscribe, ExpressVPN, Urban VPN and NordVPN
• Put measures in place to ensure any previously compromised information cannot be exfiltrated to conduct further malicious activity against your network
• Employ regular updates to applications and the host operating system to ensure protection against known vulnerabilities
• Establish an offline backup of servers
• Employ user input validation to restrict local and remote file inclusion vulnerabilities
• Implement a least-privileges policy on the Webserver
• Consider deploying a demilitarized zone (DMZ) between your organization’s web-facing systems and corporate network
• Use reputable hosting services for websites and content management systems (CMS)

The advisory was issued by the Federal Bureau of Investigation (FBI), the US Department of Treasury, and Israel National Cyber Directorate.