Iranian Hackers Target Aviation and Defense Sectors in Middle East

Mandiant has shed light on a ongoing campaign, where UNC1549, an Iranian-suspected actor, has been targeting aerospace, aviation and defense industries in the Middle East countries since at least June 2022, including Israel and the United Arab Emirates (UAE) and potentially Turkey, India, and Albania. This campaign is notable for its extensive use of Microsoft Azure cloud infrastructure as well as the employment of two unique backdoors:

  • MINIBIKE: A custom backdoor written in C++ capable of file exfiltration and upload, command execution, and more. Communicates using Azure cloud infrastructure.
  • MINIBUS: A custom backdoor that provides a more flexible code-execution interface and enhanced reconnaissance features compared to MINIBIKE

According to Mandiant, UNC1549 uses two methods to achieve initial access into victim environments: spear-phishing and credential harvesting. Attacks observed by researchers initiate with spear-phishing emails or social media correspondence designed to direct victims to fake websites containing Israel-Hamas related content or fake job offers. These sites are host to MiniBike and MiniBus, which can enable the actors to gain backdoor access to victim environments and maintain persistence upon successful infection. Some of these sites have also masqueraded as login pages for companies like aerospace giant Boeing to harvest credentials that can be used in further attacks.

Security Officer Comments:
Researchers note the employment of various tactics by UNC1549 to evade detection and run their operations for longer periods of time under the radar. According to Mandiant, UNC1549 uses a domain naming convention that resembles legitimate sites as a way to trick unsuspecting end-users. UNC1549 is also abusing Microsoft Azure infrastructure for C2 communications and hosting, making it challenging to single out the activity from legitimate network traffic. In total, researchers note that UNC1549’s infrastructure consists of over 125 Azure command-and-control subdomains. What’s more, many of the actor’s servers are geolocated in the targeted countries, enabling UNC1549 to further mask its operations.

Suggested Corrections:
With UNC1549 employing spear-phishing for initial access, users should be careful not to open links or attachments in emails that come from unknown senders. Also actors like UNC1549 are known for creating fake pages masquerading as legitimate company sites. As a precaution, its important to always double check and verify the authenticity of any given site, before entering credentials or other sensitive details.