The US and Israel have warned that the Iranian state-sponsored threat actor Cotton Sandstorm is deploying new commercial techniques to target networks, including using generative AI tools.

The joint opinion highlighted how the group, also known as Marnanbridge and Haywire Kitten, had recently moved from hack and leak operations against organizations mainly in Israel to a wider range of attacks affecting numerous countries , including Israel, France, Sweden and the USA. .

This includes actively scouting US election-related websites and media outlets, suggesting that it is preparing to conduct more direct influence operations as the presidential election day approaches.

Now Read: Iran Behind Trump Hack Campaign, US Govt Confirms

The group has conducted several cyber operations targeting Paris 2024 Olympic Gamesincluding the compromise of a French commercial supplier of dynamic displays and undertook a project to collect content from IP cameras.

The creative agencies added that since April 2024, Cotton Sandstorm has used the online persona “Cyber ​​​​Court” to promote the activities of several alleged hacktivist groups carrying out malicious activities against various countries as a means of protesting the Israel-Hamas conflict .

The FBI said it has reliable information that since mid-2024, Cotton Sandstorm has been operating under the company name Aria Sepehr Ayandehsazan (ASA) as a nominal front, including for human resources and financial purposes.

of Microsoft Digital Defense Report 2024 highlighted Cotton Sandstorm as part of the Islamic Revolutionary Guard Corps (IRGC)which conducts offensive cyber operations on behalf of Tehran.

Cotton Sandstorm’s new job

The advisory highlighted several new tactics, techniques and procedures (TTPs) that Cotton Sandstorm has observed. These include:

• The new commercial infrastructure. As of mid-2023, the group used several hosting providers for infrastructure management and obfuscation – “Server-Speed” and “VPS-Agent”. It has set up its own resellers and procured server space from providers in Europe, and these cover resellers are then used to provide operational servers for cyber actors to carry out malicious activities. For example, these cover resellers were used to provide technical support to individuals identified in Lebanon for hosting Hamas-affiliated websites.
• Open-source information collection. In the wake of the October 7, 2023 Hamas attack on Israel, Cotton Sandstorm attempted to identify information about Israeli fighter pilots and UAV operators by searching for information on numerous platforms, including Pastebin and LinkedIn. It also uses online resources such as ancestry.com and familysearch.org in its operations and searches for information through previously leaked data sets.
• Embedding AI. The agencies said the group was observed incorporating generative AI into its messaging efforts during an operation dubbed “For-Humanity.” This December 2023 cyber-enabled influence operation affected an IPTV (Internet Protocol Television) streaming company in the US. This attack took advantage of unauthorized access to IPTV streaming services to disseminate elaborate messages regarding the Israel-Hamas military conflict.

The agencies added that Cotton Sandstorm continues to perform significant reconnaissance, initial access, persistence and access to credentials as part of its operations.

Defense against cotton sandstorm attacks

The agencies have established a number of mitigation measures that organizations should take in relation to the Cotton Sandstorm tactic. These include:

• Reviewing any successful logins to your company’s network or accounts from VPN services such as Private Internet Access, Windscribe, ExpressVPN, Urban VPN, and NordVPN
• Establish measures to ensure that any previously compromised information cannot be exfiltrated to conduct malicious activity against your network.
• Use regular application and host operating system updates to ensure protection against known vulnerabilities
• Set up an offline backup of your servers
• Use user input validation to restrict local and remote file inclusion vulnerabilities
• Implement a least privilege policy on your web server
• Consider implementing a demilitarized zone (DMZ) between your organization’s web-facing systems and the corporate network
• Use reputable website hosting services and content management systems (CMS)

The advisory was issued by the Federal Bureau of Investigation (FBI), the US Treasury Department and Israel’s National Cyber ​​Directorate.