From 97ed1bda8b9d08f2e5da506cacdcc16c2776ba58 Mon Sep 17 00:00:00 2001
From: Mathieu4141 <mathieu@feedly.com>
Date: Mon, 8 Jan 2024 05:23:29 -0800
Subject: [PATCH] [threat-actors] Add Gray Sandstorm

---
 clusters/threat-actor.json | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 1aa09a2..ce52508 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -13974,6 +13974,21 @@
       },
       "uuid": "267488cb-159a-46d6-a6d6-fe93c90360b2",
       "value": "UAC-0099"
+    },
+    {
+      "description": "Gray Sandstorm is an Iran-linked threat actor that has been active since at least 2012. They have targeted defense technology companies, maritime transportation companies, and Persian Gulf ports of entry. Their primary method of attack is password spraying, and they have been observed using tools like o365spray. They have a specific focus on US and Israeli targets and are likely operating in support of Iranian interests.",
+      "meta": {
+        "country": "IR",
+        "refs": [
+          "https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/",
+          "https://www.microsoft.com/en-us/security/blog/2021/10/11/iran-linked-dev-0343-targeting-defense-gis-and-maritime-sectors/"
+        ],
+        "synonyms": [
+          "DEV-0343"
+        ]
+      },
+      "uuid": "6ea73b7f-b2e5-4e6d-a1ff-705f91175613",
+      "value": "Gray Sandstorm"
     }
   ],
   "version": 296