Published 29 Aug 2024

Cyber OT Alert Bulletin: Peach Sandstorm Deploys New Backdoor in Critical Infrastructure

Peach Sandstorm, a state-sponsored Iranian hacking group, has deployed a new custom backdoor malware named “Tickler.” This backdoor has been used in attacks targeting sectors like satellite communications, oil and gas, defense, and government entities in the U.S. and UAE.

The attacks, observed between April and July 2024, leverage compromised Azure infrastructure to establish persistent access to victim networks, enabling extensive intelligence gathering and potential disruption.

New Developments

Azure Exploitation: The group’s use of compromised Azure subscriptions to control victim networks highlights the critical need for securing cloud infrastructure. These accounts were often obtained through password spraying and social engineering.

LinkedIn Social Engineering: Peach Sandstorm also used fake LinkedIn profiles to gather intelligence, particularly targeting sectors like higher education and satellite industries. This tactic reflects their broad approach to cyber espionage.

 

Why It Matters: The Tickler backdoor is part of a broader intelligence collection campaign, showcasing Peach Sandstorm’s growing technical sophistication. By exploiting Azure subscriptions, the group can manipulate cloud infrastructure, significantly increasing the impact of their operations.

 

Big Picture: The Growing Challenge of Securing Critical Infrastructure

Peach Sandstorm’s activities are part of a larger trend of state-sponsored cyber threats targeting critical infrastructure. These attacks are becoming more sophisticated, with groups like Peach Sandstorm using custom-built tools to bypass conventional security measures.

 

Call to Action: Immediate Steps to Bolster Cybersecurity

Implement Multi-Factor Authentication (MFA) across all cloud services.

Review and tighten access controls on Azure and other cloud platforms.

Enhance continuous monitoring of both IT and OT environments to detect and respond to threats in real-time.

 

Process-Oriented Cyber OT: A Strategic Response

Given the nature of the Tickler backdoor:

Anomaly Detection: A Process-Centric approach closely monitors baseline behaviors of industrial processes. Continuous surveillance can detect subtle deviations, like the early stages of Tickler’s deployment, before system integrity is compromised.

Holistic Analysis: Focusing on the overall health of physical processes, rather than just the network, provides a comprehensive understanding of potential threats.

Coordinated Response: When an anomaly is detected, a coordinated response involving IT and OT teams is crucial. Swift action to isolate and mitigate the threat can prevent further damage and protect critical operations.

 

For more information, refer to this article:
Wired: Iranian Hackers Targeting Space Industry With New Backdoor


Copy Copy link X Facebook LinkedIn
Protecting the Process Layer of Critical Infrastructure with an unhackable source of truth
Our blog

Lastest blog posts

Tools and strategies to keep your infrastructure safe.

View all posts

Data Centers Harden IT. CPS Remains Soft

04 June 2026

Data center infrastructure is built for resilience. Power, cooling, and physical security systems are tightly engineered to keep operations running, even under...

Recent Lesson from Warfare: Process Integrity Part of the Battleground

16 April 2026

As documented in Advisory AA26-097A, kinetic warfare now extends to critical infrastructure. When adversaries can manipulate the very data operators use to...

Gartner Explains the Shift from Prevention to Resilience

09 April 2026

For many years, prevention has been the focus within OT cybersecurity.  This approach is best compared to a fortress – building higher...