Skip to content Skip to footer

Iran-Linked UNC1549 Targeting Aerospace and Defense Industries in the Middle East

A new set of aimed at aerospace, aviation, and industries in the , including Israel and the U.A.E., has been attributed to an Iran-nexus known as UNC1549. According to a new analysis by Mandiant, which is owned by , the activity also targets Turkey, India, and Albania. The company has attributed UNC1549 to Smoke Sandstorm, previously known as Bohrium, and Crimson Sandstorm, previously known as Curium. Crimson Sandstorm is an Islamic Revolutionary Guard Corps (IRGC) affiliated group. It is also known as Imperial Kitten, TA456, Tortoiseshell, and Yellow Liderc.

The activity attributed to UNC1549 has been ongoing since at least June 2022 and was still active as of February 2024, according to Mandiant. The targeting is mainly in the , including entities operating worldwide. The attacks use Azure cloud infrastructure for command-and-control (C2) and social engineering involving job-related lures, which deliver MINIBIKE and MINIBUS backdoors. The spear- emails are designed to disseminate links to fake websites containing Israel-Hamas-related content or phony job offers, resulting in the deployment of a malicious payload. The attacks also use bogus login pages, mimicking major companies to harvest credentials.

Once the custom backdoors, MINIBIKE and MINIBUS, establish C2 access, they act as a conduit for intelligence collection and further access into the targeted network. Another tool deployed at this stage is a tunneling software called LIGHTRAIL that communicates using Azure cloud. While MINIBIKE is based in C++ and capable of file exfiltration upload and command execution, MINIBUS is a more “robust successor” with enhanced reconnaissance features.

According to Mandiant, “The intelligence collected on these entities is relevant to strategic Iranian interests and may be leveraged for espionage as well as kinetic operations.” The company added, “The evasion methods deployed in this campaign, namely the tailored job-themed lures combined with the use of cloud infrastructure for C2, may make it challenging for network defenders to prevent, detect, and mitigate this activity.”

CrowdStrike, in its Global Threat Report for 2024, described how “faketivists associated with Iranian state-nexus adversaries and hacktivists branding themselves as ‘pro-Palestinian' focused on targeting critical infrastructure, Israeli aerial projectile warning systems, and activity intended for information operation purposes in 2023.” This includes Banished Kitten, which unleashed the BiBi wiper malware, and Vengeful Kitten, an alias for Moses Staff that has claimed data-wiping activity against more than 20 companies' industrial control systems (I.C.S.) in Israel.

However, it is worth noting that Hamas-linked adversaries have been noticeably absent from conflict-related activity, which firm Crowdstrike has attributed to power and internet disruptions in the region.

Leave a comment

Newsletter Signup

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

You're in trouble, program. Why don't you make it easy on yourself. Who's your user?Master Control Program

Deitasoft © 2024. All Rights Reserved.