UNC1549: Iranian Threat Actor Targeting Middle East Aerospace and Defense Sectors

layer8 | Mar 4, 2024 min read


Recently, Mandiant released a research report on UNC1549, a suspected Iranian threat actor targeting the aerospace, aviation, and defense sectors in the Middle East, particularly Israel and the UAE.

UNC1549 has been active since at least June 2022 and continues to operate as of February 2024. This group has demonstrated a high level of digital subterfuge, leveraging the chaos of the Israel-Hamas conflict to their advantage. They employ the guise of fake job offers and the “Bring Them Home Now” movement, a strategy designed to resonate with the emotions of their targets.

On July 15, 2020, Facebook exposed a long-running Iranian hacking campaign, evidencing the sophisticated social engineering tactics employed by Iranian threat actors. The hackers, associated with the Tortoiseshell group believed to operate on behalf of the Iranian government and with ties to the IRGC, utilized Facebook and other social media platforms to masquerade as recruiters. This operation targeted Americans and, to a lesser extent, UK and European individuals, diverging from previous campaigns that primarily focused on Middle Eastern targets.

Tortoiseshell’s methodologies included posing as professionals across various industries, engaging targets for months, and deploying malware-infected files or phishing sites. Facebook’s findings on Tortoiseshell align with UNC1549’s activities, suggesting a broader Iranian strategy of leveraging digital platforms for espionage. The strategic focus of UNC1549 is significant, targeting the core of the region’s defense and aerospace industries. Coupled with potential links to the IRGC, the intelligence gathered could play a pivotal role for Iran, both in the cyber domain and concerning real-world operations.

Campaign Details

The campaign deploys multiple evasion techniques to mask their activity. The most prominent of these is the extensive use of Microsoft Azure cloud infrastructure. They also use social engineering schemes to disseminate two unique backdoors: MINIBIKE and MINIBUS, and a tunneler named LIGHTRAIL. Once deployed, these backdoors establish covert communication channels with attacker-controlled infrastructure, often disguised within legitimate Microsoft Azure services.

The backdoors provide attackers with the ability to collect sensitive files, enumerate systems, execute commands, and deploy additional tools. This essentially grants them nearly limitless control over the compromised network. The potential consequences of successful infiltrations are far-reaching, from intellectual property theft to the disruption of critical infrastructure.

Attack Chain

  • Initial Contact: Attackers initiate contact through emails or social media, using lures related to fake job offers or content associated with the Israel-Hamas conflict.
  • Fake Websites: Links within the communication lead to fraudulent websites that mimic legitimate content to deceive victims into downloading malicious payloads.
  • Malicious Payloads: These websites eventually prompt the download of a compressed archive containing the backdoors MINIBIKE or MINIBUS, disguised as benign applications or content.
  • Deception Strategy: The campaign utilizes Israel-Hamas war-themed content and fake job offers in tech and defense sectors to entice targets, particularly in the aviation, aerospace, or thermal imaging industries.

Backdoor Details

  • MINIBIKE: A backdoor written in C++ with file exfiltration and command execution capabilities. There are various versions of MINIBIKE, each with different functionalities.
  • MINIBUS: A more advanced backdoor with a flexible code-execution interface and enhanced reconnaissance features, allowing it to gather more information about the infected system.
  • LIGHTRAIL: A tunneler, likely based on an open-source Socks4a proxy. It is used for C2 communication, allowing the attackers to maintain control over the infected systems.