Lemon Sandstorm is assessed to be a state sponsored Iranian threat actor closely linked to the Iranian cyber espionage group Peach Sandstorm, that is highly likely part of Iran’s revolutionary guard corps, IRGC.
This is not the first example of Iranian threat actors for IRGC has been involved in cybercrime, but it’s one of the clearest examples of how deeply entrenched IRGC hackers are in the Russian ransomware ecosystem. Iran appears to follow a similar path to North Korea, where financial problems, stemming from Western sanctions, makes cyber espionage organizations turn to cybercrime to finance their activities.
Assessment
While the technical skills of these threat actors shouldn’t be over-stated, state sponsored actors like Lemon Sandstorm or North Korea’s Diamond Sleet turning to cybercrime pose unique problems for cybersecurity. These threat actors can be more long-term and strategic in executing their attacks and have access to non-cyber espionage capabilities, such as covert action skills that can be used to social engineer access to networks. While IRGC is still assessed to be a fringe player in the overall ransomware ecosystem, Truesec will continue to monitor these developments.