Source: Zoonar GmbH via Alamy Stock Photo
An Iranian Revolutionary Guard Corps (IGRC)-linked threat group is staging political messaging and phony technical jobs to fool employees and compromise systems at aerospace and defense firms in Israel, the United Arab Emirates, and other countries in the greater Middle East.
The campaign, discovered by Google Cloud's Mandiant, appears to be linked to Iranian threat group UNC1549 — also known as Smoke Sandstorm and Tortoiseshell — and executes spear phishing and watering-hole attacks for credential harvesting and dropping malware.
A successful compromise typically results in backdoor software installed on the affected systems, usually a program known as MINIBIKE or its more up-to-date cousin, MINIBUS.
Between the tailored employment-focused spear phishing and the use of cloud infrastructure for command-and-control, the attack may be difficult to detect, says Jonathan Leathery, principal analyst for Google Cloud's Mandiant.
"The most notable part is how illusive this threat can be to discover and track — they clearly have access to significant resources and are selective in their targeting," he says. "There is likely more activity from this actor that is not yet discovered, and there is even less information on how they operate once they've compromised a target."
Iranian threat groups have increasingly targeted sensitive industries to glean government secrets and intellectual property. In 2021, Microsoft noted a dramatic shift, for example, of Iran-linked cyber-operations groups focusing on IT services firms as a way to leapfrog into the networks of government clients. The company detected intrusions and sent out 1,647 notices to IT services firms after detecting Iran-based actors targeting them, a massive jump from just 48 such notices sent by Microsoft in 2020.
Smoke and Malware
Microsoft noted that Smoke Sandstorm — its name for the group — had compromised the email accounts of a Bahrain-based IT integrator in 2021, likely as a way to gain access to the firm's government clients. Microsoft disrupted some of the group's spear phishing operations in May 2022.
While the Tortoiseshell group — also known as UNC1549 by Google and Imperial Kitten by CrowdStrike — continues to focus on IT service providers, the group now also wages watering-hole attacks and spear phishing as its primary initial infection tactics.
The threat group has since regrouped, however, and as of February 2024, is targeting aerospace, aviation, and defense firms in Israel and UAE, Google stated in its analysis. The group may also be connected to cyberattacks on similar industries in Albania, India, and Turkey.
"The intelligence collected on these entities is of relevance to strategic Iranian interests, and may be leveraged for espionage as well as kinetic operations," Google wrote. "This is further supported by the potential ties between UNC1549 and the Iranian IRGC."
The spear phishing messages send links to websites that appear to either be a job site — specifically focusing on technology- and defense-related positions — or part of the "Bring Them Home Now" movement calling for the return of Israeli hostages.
The attack chain eventually leads to the download of one of two unique backdoors to the victim's system. MINIBIKE is a C++ program designed as a backdoor, allowing the exfiltration or upload of data, as well as command execution. MINIBUS, its newer variant, includes more flexibility and "enhanced reconnaissance features," according to Google.
Customized Cyberattacks
The UNC1549 group appears to do significant reconnaissance and preparation prior to attacks, including reserving domain names that are matched to the targeted group. Because of the level of custom content created for each targeted firm, the total number of targeted organizations is hard to estimate, Leathery says.
"The data suggests they identify specific targets [and] then likely shape their strategy around the target — for instance, they register domains that relate directly to a specific target," he says. "In many instances they include decoy content that has to be created or researched [or] repurposed from publicly available legitimate information."
Google Cloud's Mandiant rated the attribution as "medium" confidence, which means the threat researchers believe that it's very likely that the activity was carried out by the UNC1549 group.
"We think it is very likely that UNC1549 conducted it, but there is not enough evidence to rule out that it could have been a different group," he says. "However, even in these unlikely circumstances, we think it is simply a different group operating in support of the Iranian government."
Beware Email Links and Suspicious Beaconing
In its technical analysis, Google details specific indicators of compromise (IOCs) for the MINIBIKE malware, including its use of four Azure domains for its command and control, a OneDrive registry key to maintain persistence, and beacon communications cycling over three filenames mimicking Web components.
The newer MINIBUS, meanwhile, is more compact and flexible. Google lists a number of DLL filenames that could be in use and warns that the malware tries to detect whether it is running on a virtual machine as well as whether security applications are running.
With UNC1549's reliance on researching targets and customized spear phishing, companies should block untrusted links in emails and lean into awareness training to keep their employees up to date on the latest phishing methods, according to Google.