An Iranian nexus threat actor known as UNC1549 has been attributed with medium certainty to a new series of attacks against aerospace, aviation and defense industries in the Middle East, including Israel and the United Arab Emirates
Other targets of cyber espionage activity likely include Turkey, India and Albania, Google-owned Mandiant said in a new analysis.
UNC1549 is said to overlap with Smoke Sandstorm (formerly Bohrium) and Crimson Sandstorm (formerly Curium), the latter of which is an Islamic Revolutionary Guard Corps (IRGC)-affiliated group also known as Imperial Kitten, TA456, Tortoiseshell, and Yellow Leaderc .
“This suspected UNC1549 activity has been active since at least June 2022 and is still ongoing as of February 2024,” the company said. “Although regional in nature and primarily focused in the Middle East, the targeted targets include entities operating worldwide.”
The attacks involve the use of Microsoft Azure cloud infrastructure for command and control (C2) and social engineering involving work-related decoys to deliver two backdoors named MINIBIKE and MINIBUS.
Spear-phishing emails are designed to spread links to fake websites containing Israel- and Hamas-related content or fake job offers, resulting in the delivery of a malicious payload. Fake login pages imitating major companies to collect credentials are also observed.
Custom backdoors, once C2 access is established, serve as a conduit for intelligence gathering and further access to the targeted network. Another tool deployed in this phase is a tunneling software called LIGHTRAIL that communicates using the Azure cloud.
While MINIBIKE is based in C++ and is capable of extracting and loading files and executing commands, MINIBUS serves as a “more robust successor” with improved reconnaissance capabilities.
“The intelligence collected on these entities is relevant to Iranian strategic interests and can be exploited for espionage and kinetic operations,” Mandiant said.
“The evasion methods used in this campaign, namely customized work-themed lures combined with the use of cloud infrastructure for C2, may make it difficult for network defenders to prevent, detect and mitigate this activity.”
CrowdStrike, in its Global Threat Report for 2024, described how “fake activists associated with adversaries of the Iranian state nexus and hacktivists calling themselves “pro-Palestinian” have focused on targeting critical infrastructure, warning systems, Israeli aerial projectiles and activities intended for the purposes of information operations”. in 2023.”
This includes Banish Kitten, which released the BiBi wiper malware, and Vengeful Kitten, a pseudonym of Moses Staff that has claimed data deletion activity against the industrial control systems (ICS) of more than 20 companies in Israel.
That said, Hamas-linked adversaries have been noticeably absent from conflict-related activity, something the cybersecurity firm attributed to likely power and internet outages in the region.