Smoke Sandstorm

Threat Actor updated 3 months ago (2024-08-29T11:18:11.922Z)

Download STIX

Preview STIX

Smoke Sandstorm, also known as UNC1549 and Tortoiseshell, is a threat actor believed to be based in Iran. The group was discovered by Google Cloud's Mandiant and has been linked to spear phishing and watering-hole attacks aimed at credential harvesting and malware distribution. Smoke Sandstorm has been noted for its sophisticated tactics, with each cyberattack campaign being customized to the targeted organization, demonstrating a high level of preparation and understanding of the victims' infrastructure. In 2021, Microsoft reported that Smoke Sandstorm had compromised the email accounts of a Bahrain-based IT integrator, likely as a strategic move to gain access to the firm's government clients. This incident highlighted the group's ability to leverage third-party providers for their operations, thereby increasing their reach and potential impact. Similar techniques have been observed among other Iranian groups, indicating a shared modus operandi within this geographical region. The group's activities are not limited to the Middle East, however. UNC1549 has targeted aerospace and defense firms in Israel, the United Arab Emirates, and other countries across the wider Middle East region. These operations underline the strategic interests of the group and suggest a focus on sectors of significant national security importance. As such, the activities of Smoke Sandstorm pose a substantial threat to both corporate and governmental entities globally.

Description last updated: 2024-08-29T11:16:50.062Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Unc1549 is a possible alias for Smoke Sandstorm. UNC1549, also known as Smoke Sandstorm and Tortoiseshell, is a suspected Iranian threat actor targeting the aerospace and defense sectors in the Middle East, specifically Israel and the United Arab Emirates. The group's activities have been discovered and tracked by Google Cloud’s Mandiant, who have	2
Tortoiseshell is a possible alias for Smoke Sandstorm. Tortoiseshell is a prominent threat actor associated with multiple Iranian Advanced Persistent Threat (APT) groups, including MASN. It has been linked to a multi-year cyberattack campaign that targeted over a dozen US companies and government entities, including the Department of the Treasury. The c	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Google

Iran

Phishing

Malware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Smoke Sandstorm Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	3 months ago	Iran-linked APT33 adds new Tickler malware to its arsenal
DARKReading	9 months ago	'Illusive' Iranian Hacking Group Ensnares Israeli, UAE Aerospace and Defense Firms
DARKReading	9 months ago	CISO Corner: Operationalizing NIST CSF 2.0; AI Models Run Amok
CERT-EU	9 months ago	Operationalizing NIST CSF 2.0; AI Models Run Amok \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	9 months ago	'Illusive' Iranian Hacking Group Ensnares Israeli, UAE Aerospace and Defense Firms \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting