Gray Sandstorm, also tracked as DEV-0343 until its renaming in April 2023, is a state-sponsored threat actor operating in support of Iranian national interests. The group was first observed in late July 2021 by Microsoft Threat Intelligence Center (MSTIC). Its primary motivation is intelligence gathering, particularly focused on obtaining sensitive information such as commercial satellite imagery and proprietary shipping plans to advance Iran's strategic and military objectives, and supporting kinetic operations and bombing damage assessment efforts. Gray Sandstorm distinguishes itself through its persistent and widespread password spraying campaigns, often using anonymizing services like Tor to compromise cloud accounts. The group's activities suggest a focused effort on cyber espionage.