UNC1860: Iran’s Stealthy Cyber Espionage Campaign Targets Middle East Networks
This persistent and sophisticated group has been targeting government and telecommunications networks across the Middle East with a focus on gaining long-term access for espionage and potential cyber attacks.
Introduction
On September 19, 2024, Mandiant released a report on UNC1860, an Iranian state-sponsored threat actor linked to Iran’s Ministry of Intelligence and Security (MOIS). This persistent and sophisticated group has been targeting government and telecommunications networks across the Middle East with a focus on gaining long-term access for espionage and potential cyber attacks.
Report Overview
UNC1860 is known for its advanced tradecraft, often associated with other Iranian threat groups like Shrouded Snooper and APT34. These actors have previously conducted significant operations, including providing access for destructive attacks like BABYWIPER against Israel and ROADSWEEP against Albania. While Mandiant couldn’t confirm UNC1860’s involvement in those specific incidents, the group’s specialized tooling and malware strongly suggest a role in facilitating similar access for other operations.
UNC1860 relies heavily on a collection of customized tools designed to infiltrate and maintain access to high-value networks. Two prominent tools identified are TEMPLEPLAY and VIROGREEN, GUI-operated malware controllers that allow UNC1860 to remotely control compromised systems. These tools are designed for third-party use, making it easier for other Iranian-linked actors to leverage the access created by UNC1860.
One of UNC1860’s standout features is its use of “passive” backdoors like TEMPLEDOOR and FACEFACE, designed to evade detection. These backdoors don’t initiate outbound communication, making it extremely difficult for traditional security tools to detect their presence. By using this tactic, UNC1860 can maintain a persistent foothold in the victim's network for long-term intelligence gathering.
UNC1860’s malware also demonstrates impressive reverse engineering skills, with the group repurposing a legitimate Iranian antivirus software driver as part of their malware arsenal. The driver is used to avoid detection and protect their implanted files, showing the group’s advanced understanding of Windows internals and its evasion techniques.
UNC1860’s activities primarily target telecommunications and government sectors in the Middle East, with victims ranging from Saudi Arabian companies to Qatari entities. The group’s tactics, such as scanning for exposed vulnerabilities and compromising VPN servers, have wide-reaching implications, enabling deeper exploitation of regional networks.
Mandiant's report indicates that UNC1860 has a history of overlapping operations with APT34, another MOIS-linked group. Both groups have been seen targeting the same networks, suggesting a coordinated effort to increase the breadth of access across critical infrastructure in the region.
UNC1860’s ability to deploy tools like STAYSHANTE and SASHEYAWAY further expands its operational reach. These web shells and droppers allow for easy hand-off operations, enabling other threat actors to take control of compromised systems. As tensions in the Middle East fluctuate, UNC1860’s activities are likely to evolve, positioning the group as a key player in Iran’s cyber operations.
Insights and Analysis
Mandiant’s analysis highlights that UNC1860 operates as an initial access provider, opening doors for other actors in the Iranian cyber ecosystem. Their malware controllers and passive backdoors not only facilitate espionage but also provide a platform for future attacks. This makes UNC1860 a formidable adversary capable of adjusting to shifting geopolitical objectives.
Organizations in the Middle East, particularly in government and telecommunications sectors, should prioritize patching vulnerable external-facing services and implementing strict VPN server controls. Network monitoring should also be enhanced to detect any anomalies, particularly those involving inbound HTTPS traffic that may conceal command-and-control communications.
For Google SecOps Enterprise+ customers, Mandiant has provided specific security rules to help identify and prioritize threats from UNC1860. Detailed Indicators of Compromise (IOCs), including MD5 hashes of UNC1860-related malware, are available for further action.
Indicators of Compromise (IOCs)
| Indicator | Type | Description |
|---|---|---|
c517519097bff386dc1784d98ad93f9d | MD5 Hash | Hash for TEMPLEPLAY, a .NET-based controller for TEMPLEDOOR backdoor |
c57e59314aee7422e626520e495effe0 | MD5 Hash | Hash for VIROGREEN, a framework used for post-exploitation |
b219672bcd60ce9a81b900217b3b5864 | MD5 Hash | Hash for TEMPLEDOOR passive backdoor |
b4b1e285b9f666ae7304a456da01545e | MD5 Hash | Hash for TOFUDRV, a repurposed Windows kernel driver |
57cd8e220465aa8030755d4009d0117c | MD5 Hash | Hash for XORO encryption module |
0c93cac9854831da5f761ee98bb40c37 | MD5 Hash | Hash for Sheed AV repurposed Iranian AV driver |
MITRE ATT&CK Tactics and Techniques
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Initial Access | Exploit Public-Facing Application | T1190 | UNC1860 exploited vulnerable internet-facing servers to gain initial access through web shell deployment. |
| Persistence | Implant Internal Proxy | T1090.002 | UNC1860 used passive implants like TEMPLEDOOR and TOFUDRV to maintain persistent access without initiating outbound traffic. |
| Defense Evasion | Exploitation for Defense Evasion | T1211 | Repurposing of legitimate software drivers (e.g., Sheed AV and TOFUDRV) for defense evasion. |
| Command and Control | Encrypted Channel | T1573 | Use of HTTPS-encrypted traffic for communication between malware controllers and passive implants, making it difficult for defenders to intercept. |
References
Comments ()