Iran-linked cyber threat group targets Middle East aerospace and defence industry
The campaign underscores the growing cyber-espionage threat posed by Iranian actors in the region.
A threat actor has initiated a sophisticated campaign involving deceptive recruitment tactics and fake technical job offers to infiltrate aerospace and defence companies across Israel, the UAE, and neighbouring regions.
Uncovered by Mandiant, this operation is believed to be orchestrated by the Iranian threat group UNC1549, also known as Smoke Sandstorm or Tortoiseshell. The group employs spear phishing and watering-hole techniques to harvest credentials and deploy malware, notably the MINIBIKE or its advanced version, MINIBUS, which compromises targeted systems by installing backdoor software.
Jonathan Leathery, principal analyst at Google Cloud’s Mandiant, underscores the challenge in detecting such attacks, citing the group’s adeptness at leveraging cloud infrastructure for command-and-control operations and their selective targeting, indicating access to substantial resources.
A recent surge in cyber-espionage by Iranian groups targeting critical industries to access government secrets and intellectual property has been observed by Microsoft. The company noted a significant uptick in Iran-linked cyber operations focusing on IT service firms to gain access to government networks.
Microsoft’s observations indicate Smoke Sandstorm’s involvement in compromising the email accounts of a Bahrain-based IT integrator in 2021, with subsequent disruptions to their spear-phishing operations in 2022. Meanwhile, UNC1549, or Tortoiseshell, has expanded its tactics to include watering-hole attacks and spear phishing, targeting aerospace, aviation, and defence sectors in Israel and the UAE, with potential connections to cyberattacks in Albania, India, and Türkiye.
The spear phishing campaigns orchestrated by these threat actors involve links to fake job sites, ostensibly offering positions in technology and defence, or websites advocating for the release of Israeli hostages. These links lead to installing custom-designed backdoors, such as MINIBIKE and its variant MINIBUS, facilitating data exfiltration and command execution.
UNC1549’s modus operandi involves extensive reconnaissance and domain name registration tailored to each target, making it challenging to estimate the full extent of their operations. Google Cloud’s Mandiant has attributed this activity to UNC1549 with medium confidence, indicating a high likelihood of the group’s involvement.
To counter such threats, Google recommends vigilance against suspicious email links and thorough awareness training to educate employees about phishing techniques. Additionally, companies should employ measures to block untrusted links in emails to mitigate the risk of infiltration by these sophisticated threat actors.
About author
DW Team
The GIP Digital Watch Observatory team, consisting of over 30 digital policy experts from around the world, excels in the fields of research and analysis on digital policy issues. The team is backed by the creative prowess of Creative Lab Diplo and the technical expertise of the Diplo tech team.