Smoke Sandstorm

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
Smoke Sandstorm, also known as UNC1549 and Tortoiseshell, is a threat actor linked to Iran that has been implicated in a series of malicious cyber activities. The group's campaign was discovered by Google Cloud’s Mandiant and involves spear phishing and watering-hole attacks aimed at harvesting credentials and dropping malware. Smoke Sandstorm has shown significant adaptability and customization in its approach, tailoring each attack to the specific organization it targets. In 2021, Microsoft reported that Smoke Sandstorm had compromised the email accounts of a Bahrain-based IT integrator, likely with the intent to gain access to the firm's government clients. This incident demonstrates the group's strategic targeting and ability to infiltrate organizations indirectly through their partners or service providers. The group's primary targets seem to be aerospace and defense firms in Israel, the United Arab Emirates, and other countries in the greater Middle East. This indicates a geopolitical motivation behind their activities, suggesting that these cyberattacks are part of a broader strategic agenda. As such, organizations in these sectors and regions should remain vigilant and prioritize strengthening their cybersecurity measures.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Unc1549
2
UNC1549, also known as Smoke Sandstorm and Tortoiseshell, is a suspected Iranian threat actor targeting the aerospace and defense sectors in the Middle East, specifically Israel and the United Arab Emirates. The group's activities have been discovered and tracked by Google Cloud’s Mandiant, who have
Tortoiseshell
2
Tortoiseshell is a prominent threat actor associated with multiple Iranian Advanced Persistent Threat (APT) groups, including MASN. It has been linked to a multi-year cyberattack campaign that targeted over a dozen US companies and government entities, including the Department of the Treasury. The c
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Iran
Google
Phishing
Malware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Smoke Sandstorm Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
DARKReading
5 months ago
'Illusive' Iranian Hacking Group Ensnares Israeli, UAE Aerospace and Defense Firms
DARKReading
5 months ago
CISO Corner: Operationalizing NIST CSF 2.0; AI Models Run Amok
CERT-EU
5 months ago
Operationalizing NIST CSF 2.0; AI Models Run Amok | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
5 months ago
'Illusive' Iranian Hacking Group Ensnares Israeli, UAE Aerospace and Defense Firms | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting