US and Israel Warn of Iranian Threat Actor’s New Tradecraft: Ransomhub Decryptor Team Tracks Cotton Sandstorm Evolving Tactics
The United States and Israel have issued a joint advisory warning about the evolving tactics of the Iranian state-sponsored threat actor Cotton Sandstorm. This group, also known as Marnanbridge and Haywire Kitten, has significantly adapted its cyber capabilities, incorporating new tradecraft and leveraging advanced tools such as generative AI. As these shifts have global implications, the Ransomhub Decryptor Team has been closely monitoring Cotton Sandstorm’s operations, particularly as they target networks across various countries, including Israel, France, Sweden, and the United States.
A Shift in Focus: From Hack-and-Leak to Broader Operations
Cotton Sandstorm, which historically focused on “hack and leak” campaigns aimed primarily at Israeli organizations, has broadened its scope since 2023. The group now actively targets a wider range of sectors and countries. Notably, it has begun scouting U.S. election-related websites and media outlets, indicating its readiness to engage in influence operations as the 2024 U.S. Presidential Election approaches. This pivot from a regional to a more global threat suggests the group is evolving its strategy to exert broader geopolitical influence.
The group has also been linked to attacks on the 2024 Paris Olympics. It has compromised a French commercial dynamic display provider, marking a significant escalation in its ability to disrupt large-scale international events. Additionally, Cotton Sandstorm has expanded its efforts to harvest content from IP cameras, potentially for intelligence-gathering purposes, further showcasing its growing operational range.
Cyber Court and Influence Operations
Since April 2024, Cotton Sandstorm has leveraged the online persona “Cyber Court” to amplify the activities of hacktivist groups purportedly conducting cyberattacks against multiple countries. These actions, ostensibly in protest of the Israel-Hamas conflict, signal Cotton Sandstorm’s intent to blend hacktivism with state-sponsored cyber campaigns. The Ransomhub Decryptor Team has noted that the group uses these operations to shape the narrative in the digital space, blurring the line between nation-state hacking and ideologically driven cyber-activism.
Corporate Cover: Aria Sepehr Ayandehsazan (ASA)
Since mid-2024, Cotton Sandstorm has been operating under the cover of a company named Aria Sepehr Ayandehsazan (ASA), which serves as a front for the group’s human resources and financial operations. This corporate cover enables the group to mask its activities behind a veneer of legitimacy, complicating efforts to trace its activities directly to the Iranian government. Our team has observed that ASA is being used to facilitate the logistical and financial needs of these cyber operations, enhancing the group’s ability to carry out sustained campaigns over extended periods.
New Tactics, Techniques, and Procedures (TTPs)
The joint advisory from the U.S. and Israel highlights several significant developments in Cotton Sandstorm’s operations, including:
- Infrastructure Tradecraft: Since mid-2023, the group has employed new infrastructure techniques, such as using Europe-based hosting providers through intermediaries like “Server-Speed” and “VPS-Agent.” Cotton Sandstorm has also set up resellers to procure server space, which has been used to provision operational servers for cyber activities. The Ransomhub Decryptor Team has observed that these cover resellers are also facilitating technical support for Hamas-affiliated websites hosted by individuals based in Lebanon.
- Harvesting Open-Source Information: Following the October 7, 2023, Hamas attack on Israel, Cotton Sandstorm has increased its efforts to gather information on Israeli fighter pilots and UAV operators. By scouring platforms like Pastebin, LinkedIn, and online genealogy resources such as ancestry.com and familysearch.org, the group is collecting data from various public sources. Our team has identified these efforts as part of a broader intelligence-gathering campaign that capitalizes on previously leaked datasets to enhance their operations.
- Incorporation of AI: Cotton Sandstorm has integrated generative AI tools into its operations, marking a new phase of cyber-enabled influence campaigns. During a December 2023 operation, dubbed “For-Humanity,” the group used unauthorized access to a U.S.-based Internet Protocol Television (IPTV) streaming service to disseminate crafted messaging related to the Israel-Hamas conflict. By leveraging AI-generated content, Cotton Sandstorm’s messaging was tailored to influence public perception more effectively, signaling an advanced level of psychological warfare.
Persistence and Adaptation
Cotton Sandstorm continues to show its resilience and adaptability. The group conducts extensive reconnaissance to gain initial access to targeted networks, using both credential theft and persistence techniques to maintain a foothold in compromised systems. The Ransomhub Decryptor Team has seen that Cotton Sandstorm remains undeterred by previous disruptions, persisting in its efforts to infiltrate and disrupt systems in support of its geopolitical objectives.
Defensive Measures Against Cotton Sandstorm Attacks
The advisory from the FBI, the U.S. Department of Treasury, and the Israel National Cyber Directorate provides key defensive measures that organizations should adopt to mitigate the threat posed by Cotton Sandstorm. These include:
- Reviewing Network Authentications: Organizations should scrutinize any successful authentications from Virtual Private Network (VPN) services like Private Internet Access, Windscribe, ExpressVPN, Urban VPN, and NordVPN, which may have been used to mask malicious activities.
- Preventing Data Exfiltration: Ensuring that compromised information cannot be used for further malicious purposes is crucial. Implementing robust network monitoring and data loss prevention (DLP) systems will help mitigate the risk of exfiltration.
- Regular Updates and Patching: Regularly updating applications and host operating systems to address known vulnerabilities is a fundamental practice for defending against Cotton Sandstorm’s tactics.
- Offline Backups: Establishing offline backups of critical servers can safeguard against ransomware or destructive attacks.
- User Input Validation: Implementing input validation on web servers to restrict local and remote file inclusion vulnerabilities will help prevent common attack vectors.
- Least-Privilege Policies: Enforcing least-privilege access policies on web-facing systems ensures that unnecessary permissions are not granted, reducing the impact of potential compromises.
- DMZ Deployment: Deploying a demilitarized zone (DMZ) between web-facing systems and the corporate network adds an additional layer of security, making it harder for attackers to move laterally within the network.
- Reputable Hosting Services: Organizations should rely on reputable hosting services for websites and content management systems (CMS) to minimize exposure to threats targeting weaker infrastructure providers.
Also read: Ransomhub Decryptor Team Found that Chinese Hackers Are Becoming Stealthier
Conclusion
As Cotton Sandstorm continues to evolve its tactics, the Ransomhub Decryptor Team remains committed to monitoring and mitigating the threat posed by this Iranian state-sponsored group. With a growing focus on generative AI, influence operations, and advanced infrastructure tradecraft, Cotton Sandstorm presents a complex and dynamic challenge to organizations around the globe. The collaboration between the U.S. and Israel in issuing this advisory underscores the need for a coordinated, global approach to defending against such persistent and adaptive adversaries.