A new wave of attacks targeting the Middle East’s aerospace, aviation, and defense industries, including Israel and the U.S., has been attributed with medium confidence to an Iranian-nexus threat actor known as UNC1549. E. A.
Turkey, India, and Albania are likely to be targets of the cyber espionage activity, according to a recent analysis from Google-owned Mandiant.
According to legend, UNC1549 coexists with Smoke Sandstorm ( previously Bohrium ) and Crimson Sandstorm ( previously Curium ), which is a group affiliated with the Islamic Revolutionary Guard Corps ( IRGC), which is also known as Imperial Kitten, TA456, Tortoiseshell, and Yellow Liderc.
According to the company,” This suspected UNC1549 activity has been ongoing as of February 2024 and has at least been since June 2022.” The targeting includes organizations that are regional in nature and are primarily concentrated in the Middle East.
The attacks involve job-related lures to release two backdoors dubbed MINIBIKE and MINIBUS and use of Microsoft Azure cloud infrastructure for command-and-control ( C2 ) and social engineering.
The spear-phishing emails are intended to send fake websites with Israel-Hamas-related content or phony job offers, which result in the deployment of a malicious payload. Fake login pages that pretend to be big companies are used to obtain credentials, we’ve also seen.
When C2 access is established, the custom backdoors serve as a conduit for intelligence gathering and further intrusion into the targeted network. A tunneling program called LIGHTRAIL, which communicates using Azure cloud, is currently being used.
MINIBUS is a more “robust successor” with enhanced reconnaissance capabilities, while MINIBIKE is based in C++ and capable of file exfiltration, upload, and command execution.
According to Mandiant,” the intelligence gathered on these entities is relevant to strategic Iranian interests and may be used for kinetic operations as well as espionage.”
Network defenders may find it challenging to prevent, detect, and stop this activity due to the evasion strategies employed in this campaign, specifically the custom job-themed lures combined with the use of cloud infrastructure for C2.
In its Global Threat Report for 2024, CrowdStrike outlined how “faketivists associated with Iranian state-nexus adversaries and hacktivists branding themselves as “pro-Palestine” focused on 2023-related activities like Israeli aerial projectile warning systems and activities intended for information operations.”
This includes Vengeful Kitten, an alias for Moses Staff who has claimed data-wiping activity against more than 20 businesses’ industrial control systems ( ICS) in Israel and Banished Kitten, who unleashed the BiBi wiper malware.
However, Hamas-linked adversaries have not been significantly absent from conflict-related activities, which the cybersecurity firm has attributed to the region’s potential power and internet disruptions.