Smoke Sandstorm

Threat Actor updated 23 days ago (2024-11-29T13:54:01.861Z)
Download STIX
Preview STIX
Smoke Sandstorm, also known as UNC1549 and Tortoiseshell, is a threat actor believed to be based in Iran. The group was discovered by Google Cloud's Mandiant and has been linked to spear phishing and watering-hole attacks aimed at credential harvesting and malware distribution. Smoke Sandstorm has been noted for its sophisticated tactics, with each cyberattack campaign being customized to the targeted organization, demonstrating a high level of preparation and understanding of the victims' infrastructure. In 2021, Microsoft reported that Smoke Sandstorm had compromised the email accounts of a Bahrain-based IT integrator, likely as a strategic move to gain access to the firm's government clients. This incident highlighted the group's ability to leverage third-party providers for their operations, thereby increasing their reach and potential impact. Similar techniques have been observed among other Iranian groups, indicating a shared modus operandi within this geographical region. The group's activities are not limited to the Middle East, however. UNC1549 has targeted aerospace and defense firms in Israel, the United Arab Emirates, and other countries across the wider Middle East region. These operations underline the strategic interests of the group and suggest a focus on sectors of significant national security importance. As such, the activities of Smoke Sandstorm pose a substantial threat to both corporate and governmental entities globally.
Description last updated: 2024-08-29T11:16:50.062Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Unc1549 is a possible alias for Smoke Sandstorm. UNC1549, also known as Smoke Sandstorm and Tortoiseshell, is a suspected Iranian threat actor targeting the aerospace and defense sectors in the Middle East, specifically Israel and the United Arab Emirates. The group's activities have been discovered and tracked by Google Cloud’s Mandiant, who have
2
Tortoiseshell is a possible alias for Smoke Sandstorm. Tortoiseshell is a prominent threat actor associated with multiple Iranian Advanced Persistent Threat (APT) groups, including MASN. It has been linked to a multi-year cyberattack campaign that targeted over a dozen US companies and government entities, including the Department of the Treasury. The c
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Google
Iran
Phishing
Malware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.