Trace Id is missing

Nation State Actor

Gray Sandstorm

A close-up of a planet

Gray Sandstorm (formerly DEV-0343) conducts extensive password spraying emulating a Firefox browser and using IPs hosted on a Tor proxy network. They typically target dozens to hundreds of accounts within an organization, depending on the size, and enumerate each account from dozens to thousands of times. On average, between 150 and 1,000+ unique Tor proxy IP addresses are used in attacks against each organization.

Gray Sandstorm operators typically target two Exchange endpoints – Autodiscover and ActiveSync – as a feature of the enumeration/password spray tool they use. This allows Gray Sandstorm to validate active accounts and passwords, and further refine their password spray activity.

Country of origin:                                                                      Industries targeted:

 

Iran                                                                                                Defense

                                         

Countries targeted:

 

Israel

 

United States                                                                                                     

Related articles

The final report on NOBELIUM’s unprecedented nation-state attack

Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021

Iran-linked DEV-0343 targeting defense, GIS, and maritime sectors