Microsoft has posted a blog providing details on Mint Sandstorm, a threat actor group previously labeled PHOSPHORUS and who is believed to be associated with the Islamic Revolutionary Guard Corps, the intelligence arm of Iran’s military. Over the past year, the group has shifted from network reconnaissance activities to actively targeting U.S. critical infrastructure, including the energy, transportation systems, and chemical sectors.

Mint Sandstorm has the ability to rapidly weaponize N-day or zero-day vulnerabilities that have been publicly disclosed. Microsoft has observed the group rapidly repurposing publicly posted proof-of-concept code for zero-day exploitation multiple times this year. Additionally, Microsoft warns that the group also continues to exploit older vulnerabilities for initial compromise. Both capabilities which emphasize the need to apply patches for known vulnerabilities in a timely manner. This, combined with the use of custom network exploitation tools and targeted phishing campaigns, makes Mint Sandstorm a difficult threat for most critical infrastructure organizations to face. Microsoft includes mitigations against the group’s custom tools in the blog and additional recommendations that members are encouraged to examine. Read more at Microsoft.