Hackers with Ties to Iran Target Middle East Defense & Aerospace Sectors

With a medium degree of confidence, a new series of attacks targeting the Middle East's aerospace, aviation, and defense industries—including those in Israel and the United Arab Emirates—have been linked to a threat actor with ties to Iran, UNC1549. Albania, Turkey, and India are probably among the other targets of the cyber espionage activity, according to a recent investigation by Google-owned Mandiant.

UNC1549 is claimed to overlap with Smoke Sandstorm (formerly Bohrium) & Crimson Sandstorm (formerly Curium), the latter of which is also known as Imperial Kitten, TA456, Tortoiseshell, and Yellow Liderc and is linked with the Islamic Revolutionary Guard Corps (IRGC).

“This suspected UNC1549 activity has been active since at least June 2022 and is still ongoing as of February 2024. The targeting includes entities operating worldwide, despite being regional and primarily focused in the Middle East.” the business stated.

The attacks employ Microsoft Azure cloud infrastructure for Command-and-Control (C2) & Social Engineering utilizing job-related lures to deliver two backdoors known as MINIBIKE and MINIBUS.

The purpose of spear-phishing emails is to spread links to bogus websites with content connected to Israel-Hamas or false job offers, which will launch a harmful payload. Fake login sites that imitate well-known companies have also been seen to obtain passwords.

Once C2 access is established, the custom backdoors gather intelligence and gain additional access to the targeted network. At this point, LIGHTRAIL, a tunneling program that uses Azure Cloud for communication, is another tool that has been implemented.

While MINIBIKE can execute commands, exfiltrate files, and is built on C++, MINIBUS is a more "robust successor" with improved reconnaissance capabilities.

“The intelligence collected on these entities is relevant to strategic Iranian interests and may be leveraged for espionage & kinetic operations,” Mandiant stated.

“The evasion methods deployed in this campaign, namely the tailored job-themed lures combined with the use of cloud infrastructure for C2, may make it challenging for network defenders to prevent, detect, and mitigate this activity.”

CrowdStrike noted in the Global Threat Report 2024 that “faketivists associated with Iranian state-nexus adversaries and hacktivists branding themselves as ‘pro-Palestinian’ focused on targeting critical infrastructure, Israeli aerial projectile warning systems, and activity intended for information operation purposes in 2023.”

This includes Vengeful Kitten, an alias for Moses Staff that has claimed data-wiping operations against the Industrial Control Systems (ICS) of more than 20 firms in Israel, and Banished Kitten, which released the BiBi wiper malware.

Nevertheless, opponents with ties to Hamas have been conspicuously absent from conflict-related activities; the cybersecurity company has attributed this to probable power and internet outages in the area.