Today Mandiant is releasing a blog post about suspected Iran-nexus espionage activity targeting the aerospace, aviation and defense industries in Middle East countries, including Israel and the United Arab Emirates (UAE) and potentially Turkey, India, and Albania.

Mandiant attributes this activity with moderate confidence to the Iranian actor UNC1549, which overlaps with Tortoiseshell—a threat actor that has been publicly linked to Iran’s Islamic Revolutionary Guard Corps (IRGC). Tortoiseshell has previously attempted to compromise supply chains by targeting defense contractors and IT providers.

The potential link between this activity and the Iranian IRGC is noteworthy given the focus on defense-related entities and the recent tensions with Iran in light of the Israel-Hamas war. Notably, Mandiant observed an Israel-Hamas war-themed campaign that masquerades as the “Bring Them Home Now” movement, which calls for the return of the Israelis kidnapped and held hostage by Hamas.

This suspected UNC1549 activity has been active since at least June 2022 and is still ongoing as of February 2024. While regional in nature and focused mostly in the Middle East, the targeting includes entities operating worldwide.

Mandiant observed this campaign deploy multiple evasion techniques to mask their activity, most prominently the extensive use of Microsoft Azure cloud infrastructure as well as social engineering schemes to disseminate two unique backdoors: MINIBIKE and MINIBUS.

This blog post details the suspected UNC1549 operations since June 2022, the ongoing development of their proprietary malware, their network of over 125 Azure command-and-control (C2) subdomains, and their attack lifecycle, which includes tactics, techniques, and procedures (TTPs) Mandiant has not previously seen deployed by Iran.

Attribution

Mandiant assesses with moderate confidence that this activity has ties to UNC1549, an Iran-based espionage group, which overlaps with activities publicly known as Tortoiseshell and Smoke Sandstorm/BOHRIUM.

Namely, a fake recruiting website (1stemployer[.]com) was observed hosting a MINIBUS payload in November 2023. The template used for the fake recruiting website had been used previously in another fake recruiting website, careers-finder[.]com, which was used by UNC1549.

  • In this campaign, the MINIBUS backdoor was hosted on a fake job website (1stemployer[.]com) using the exact same written contents as careers-finder[.]com used by UNC1549 in early 2022, for example, “After considering the career and education background we introduce you to the employer companies which are looking for the indicated skills and expertise.”

Mục nhập này đã được đăng trong Xe hay. Đánh dấu trang permalink.