February 29, 2024 at 09:27AM
Iranian hackers have been utilizing Microsoft Azure cloud infrastructure in attacks on aerospace, aviation, and defense organizations in the Middle East, particularly in Israel and the UAE. The hacking group, UNC1549, has deployed two backdoors named MiniBike and MiniBus. These activities are linked to Iran’s Islamic Revolutionary Guard Corps. Mandiant discovered the MiniBus backdoor hosted on a fake recruiting website and also observed the use of spear-phishing emails and social media messages to distribute malware.UNC1549 also employed evasion techniques such as using domain naming schemes resembling legitimate sites and using Azure and servers in targeted geographies to hide malicious traffic. Additionally, they’ve utilized LightTrail, a tunneling tool, and fake login pages to harvest victim credentials.
From the meeting notes, it is clear that Iranian hackers, specifically a group tracked as UNC1549, have been engaged in a campaign targeting aerospace, aviation, and defense organizations in the Middle East. The group has utilized two unique backdoors named MiniBike and MiniBus to spy on organizations in Israel, the United Arab Emirates (UAE), Albania, India, and Turkey. These activities overlap with other threat actors linked to Iran’s Islamic Revolutionary Guard Corps (IRGC). The hacking group has used various tactics such as spear-phishing emails, social media messages, and fake websites to distribute malware and gain access to the targeted networks. Additionally, they have utilized Microsoft Azure cloud infrastructure to host their command-and-control (C&C) infrastructure and employed evasion techniques to remain undetected.
It is also noted that the hackers have used LightRail, a tunneling tool, which shares code similarities with the backdoors and uses the same Azure C&C infrastructure. Mandiant, the cybersecurity firm, has observed UNC1549 using fake login pages to harvest victim credentials and identified job description documents for positions at a drone manufacturing company on the same infrastructure hosting MiniBus.
The campaign’s potential link to Iran’s IRGC is significant, particularly in light of the recent tensions with Iran due to the Israel-Hamas conflict. Moreover, the group’s activities have also been associated with a threat actor previously linked to Iran’s IRGC, known as Smoke Sandstorm and Tortoiseshell, which targeted defense contractors and IT providers. These findings highlight the sophisticated nature of the cyber threats posed by Iranian hackers and the critical need for heightened cybersecurity measures to counter their activities.
Additionally, it is important to note the related developments involving Iran’s cyberattacks on Israel amid the Hamas conflict, as well as the US imposing sanctions on Iranian hackers linked to water utility hacks. These events underscore the broader geopolitical implications and the escalating nature of cyber warfare, emphasizing the necessity for international coordination and proactive defense strategies to mitigate the impact of such malicious activities.