A menacing group linked to the Iranian Revolutionary Guard Corps (IGRC) is staging fake political messages and technical works to deceive employees and compromise systems of aerospace and defense companies in Israel, the United Arab Emirates and other Middle Eastern countries.
The campaign, discovered by Google Cloud’s Mandiant, appears to be linked to the Iranian threat group UNC1549 – also known as Smoke Sandstorm and Tortoiseshell – and carries out spear phishing and watering-hole attacks to harvest credentials and deliver malware.
A successful compromise typically results in the installation of backdoor software on affected systems, usually a program known as MINIBIKE or its more updated cousin, MINIBUS.
Between spear phishing targeting employment and the use of cloud infrastructure for command and control, the attack may be difficult to detect, says Jonathan Leathery, principal analyst at Google Cloud’s Mandiant.
“The most notable part is how illusory this threat can be to discover and monitor – they clearly have access to significant resources and are selective in targeting,” he says. “There is likely more activity on the part of this actor that has not yet been discovered, and there is even less information about how they operate once a target is compromised.”
Iranian threat groups they have increasingly targeted sensitive industries to steal government secrets and intellectual property. In 2021, Microsoft has noticed a dramatic shift in, for example, Iran-linked cyber operations groups focusing on IT services companies as a way to pounce on government customer networks. The company detected the intrusions and dispatched them 1,647 notices to IT services companies after spotting Iran-based actors targeting them, a huge jump from just 48 such warnings sent by Microsoft in 2020.
Smoking and malware
Microsoft noted that Smoke Sandstorm – the name of the group – had compromised the email accounts of a Bahrain-based IT integrator in 2021, possibly as a way to gain access to the company’s government customers. Microsoft disrupted some of the group’s spear phishing operations in May 2022.
While the Tortoiseshell group, also known as Google’s UNC1549 and CrowdStrike’s Imperial Kitten, continues to focus on IT service providers, the group now also employs watering-hole and spear phishing attacks as its primary initial infection tactics.
Since then, however, the threat group has regrouped and, as of February 2024, is targeting aerospace, aviation and defense companies in Israel and the United Arab Emirates. Google stated in its analysis. The group may also be linked to cyberattacks against similar industries in Albania, India and Turkey.
“Intelligence collected about these entities is relevant to Iranian strategic interests and could be exploited for espionage and kinetic operations,” Google wrote. “This is further supported by potential links between UNC1549 and the Iranian IRGC.”
The spear phishing messages send links to websites that appear to be job sites – particularly focused on technology and defense-related positions – or part of the “Bring Them Home Now” movement calling for the return of Israeli hostages.
The attack chain ultimately leads to the download of one of two unique backdoors into the victim’s system. MINIBIKE is a C++ program designed as a backdoor, which allows data exfiltration or uploading, as well as command execution. MINIBUS, its newest variant, includes more flexibility and “enhanced reconnaissance capabilities,” according to Google.
Custom cyber attacks
The UNC1549 group appears to carry out significant reconnaissance and preparation prior to attacks, including reserving domain names matched to the targeted group. Because of the level of customized content created for each targeted company, it is difficult to estimate the total number of targeted organizations, Leathery says.
“The data suggests that they identify specific targets [and] so they probably shape their strategy around the target: for example they register domains that directly refer to a specific target,” he says. “In many cases they include bait content that needs to be created or researched [or] repurposed from publicly available legitimate information.”
Google Cloud’s Mandiant rated the attribution with a “medium” confidence level, meaning that threat researchers believe it is very likely that the activity was carried out by the UNC1549 group.
“We think it’s very likely that UNC1549 conducted it, but there’s not enough evidence to rule out that it could have been a different group,” he says. “However, even in these unlikely circumstances, we believe that this is simply a different group working to support the Iranian government.”
Beware of suspicious email links and beaconing
In its technical analysis, Google details specific indicators of compromise (IOCs) for the MINIBIKE malware, including the use of four Azure domains for command and control, a OneDrive registry key to maintain persistence, and repeating beacon communications on three file names that mimic Web components. .
The new MINIBUS, meanwhile, is more compact and flexible. Google lists a number of DLL file names that may be in use and warns that the malware tries to detect whether it is running on a virtual machine and whether any security applications are running.
With UNC1549’s reliance on target-seeking and personalized spear phishing, companies should block untrusted links in emails and rely on awareness training to keep their employees updated on the latest phishing methods, according to Google.