US and Israeli Authorities Sound Alarm on Iranian State-Sponsored Threat Actor Cotton Sandstorm’s Evolving Tactics
In a joint advisory, the US Federal Bureau of Investigation (FBI) and the Israeli National Cyber Directorate have warned that the Iranian state-sponsored threat actor known as Cotton Sandstorm is expanding its cyber operations to target networks globally. This group, also referred to as Marnanbridge and Haywire Kitten, has been shifting its focus from traditional “hack and leak” tactics primarily targeting organizations in Israel to a broader range of attacks impacting multiple countries, including Israel, France, Sweden, and the US.
Background on Cotton Sandstorm
Cotton Sandstorm’s activities have taken on a more sophisticated tone in recent months, with the group using online personas such as “Cyber Court” to promote malicious activity conducted by purported hacktivist groups protesting the Israel-Hamas conflict. The FBI reports that since mid-2024, Cotton Sandstorm has been operating under the company name Aria Sepehr Ayandehsazan (ASA) as a nominal cover for human resources and financial-related purposes.
New Tradecraft and Tactics
The advisory highlights several new tactics, techniques, and procedures (TTPs) that Cotton Sandstorm has been observed using. These include:
- Infrastructure tradecraft: Since mid-2023, the group has used various hosting providers to manage infrastructure and evade detection. This includes setting up resellers and procuring server space from Europe-based providers.
- Harvesting of open-source information: Following the October 7, 2023 Hamas attack on Israel, Cotton Sandstorm has attempted to identify sensitive information about Israeli fighter pilots and UAV operators by searching for information across multiple platforms.
- Incorporation of AI: The group was observed incorporating generative AI in its messaging efforts during an operation called “For-Humanity” in December 2023. This attack leveraged unauthorized access to IPTV streaming services to disseminate crafted messaging pertaining to the Israel-Hamas military conflict.
Defending Against Cotton Sandstorm Attacks
To mitigate the risks posed by Cotton Sandstorm’s tactics, organizations are advised to take the following steps:
- Review and monitor authentication attempts: Regularly review any successful authentications to your network or company accounts from Virtual Private Network (VPN) services.
- Protect sensitive information: Ensure that previously compromised information cannot be exfiltrated to conduct further malicious activity against your network.
- Maintain up-to-date software: Regularly update applications and the host operating system to ensure protection against known vulnerabilities.
- Implement offline backups: Establish an offline backup of servers to prevent data loss in case of a cyberattack.
- Validate user input: Implement user input validation to restrict local and remote file inclusion vulnerabilities.
- Enforce least-privileges policy: Consider implementing a least-privileges policy on web servers to limit access and reduce the attack surface.
- Use reputable hosting services: Use reputable hosting services for websites and content management systems (CMS) to minimize the risk of compromise.
Conclusion
The joint advisory issued by the FBI, the US Department of Treasury, and the Israeli National Cyber Directorate serves as a warning to organizations worldwide about the evolving tactics and threat posed by Cotton Sandstorm. By understanding these new TTPs and taking proactive measures to defend against attacks, organizations can reduce their risk exposure.
References
- FBI Advisory on Cotton Sandstorm (2024)
- Israeli National Cyber Directorate Advisory on Cotton Sandstorm (2024)
- US Department of Treasury Advisory on Cotton Sandstorm (2024)