A fresh round of attacks targeting the aerospace, aviation, and security sectors in the Middle East, including Israel and the United Arab Emirates, have been linked with medium certainty to an Iranian-nexus threat actor known as UNC1549.
Mandiant, which is owned by Google, indicated in a fresh review that other likely targets of the cyber espionage operation include Turkey, India, and Albania.
Rumor has it that UNC1549 shares some territory with Smoke Sandstorm (formerly Bohrium) and Crimson Sandstorm (formerly Curium), the latter of which is a group associated with the Islamic Revolutionary Guard Corps (IRGC) and goes by several names: Imperial Kitten, TA456, Tortoiseshell, and Yellow Liderc.
“This suspected UNC1549 exercise has been energetic since no less than June 2022 and continues to be ongoing as of February 2024,” according to the company. “Whereas regional in nature and centered largely within the Center East, the concentrating on consists of entities working worldwide.”
The attacks deploy two backdoors called MINIBIKE and MINIBUS using social engineering leveraging job-related lures and command-and-control (C2) in Microsoft Azure cloud infrastructure.
In order to install a malicious payload, the spear-phishing emails are meant to distribute URLs to fake websites that feature content related with Israel-Hamas or fake employment offers. False login sites posing as legitimate companies in an effort to steal passwords have also been discovered.
Once C2 access is established, the tailored backdoors provide intelligence gathering and expanded community access. At this time, we have also implemented LIGHTRAIL, a tunneling software application that interacts over Azure cloud.
While MINIBIKE is a C++ program that can execute commands, add files, and extract data, MINIBUS is a more “sturdy successor” with better reconnaissance capabilities.
“The intelligence collected on these entities is of relevance to strategic Iranian pursuits and could also be leveraged for espionage in addition to kinetic operations,” stated Mandiant.
“The evasion strategies deployed on this marketing campaign, specifically the tailor-made job-themed lures mixed with using cloud infrastructure for C2, could make it difficult for community defenders to forestall, detect, and mitigate this exercise.”
According to CrowdStrike’s International Risk Report for 2024, “faketivists related to Iranian state-nexus adversaries and hacktivists branding themselves as ‘pro-Palestinian’ centered on concentrating on important infrastructure, Israeli aerial projectile warning programs, and exercise meant for data operation functions in 2023.”
Among these are Banished Kitten, the culprit behind the BiBi wiper software, and Vengeful Kitten, a pseudonym of Moses Employees, who has committed data-wiping attacks against over 20 Israeli companies’ ICS systems.
Having said that, the cybersecurity agency has pointed to likely electricity and online outages in the area as the reason why Hamas-linked opponents have been conspicuously missing from conflict-related activities.
