Iran-linked UNC1549 hackers target Middle East aerospace and defense sectors

Aerospace & Defense Sectors

An Iran nexus threat actor known as UNC1549 is attributed with medium confidence to a new series of attacks targeting the aerospace, aviation and defense industries in the Middle East, including Israel and the UAE

Other targets of the cyber espionage activities are likely to include Turkey, India and Albania, Google-owned Mandiant said in a new analysis.

UNC1549 is said to overlap with Smoke Sandstorm (formerly Bohrium) and Crimson Sandstorm (formerly Curium), the latter of which is an Islamic Revolutionary Guard Corps (IRGC) affiliated group also known as Imperial Kitten, TA456, Tortoiseshell, and Yellow Liderc . .

“This suspected UNC1549 activity has been active since at least June 2022 and is still ongoing as of February 2024,” the company said. said. “Although it is regional in nature and primarily focused on the Middle East, the target group also includes entities that operate globally.”


The attacks involve using the Microsoft Azure cloud infrastructure for command-and-control (C2) and social engineering with work-related decoys to create two backdoors called MINIBIKE and MINIBUS.

The spearphishing emails are designed to distribute links to fake websites Israel-Hamas related content or fake job advertisements, resulting in the deployment of a malicious payload. Fake login pages that impersonate major companies to collect login credentials are also observed.

When establishing C2 access, the custom backdoors act as a channel for intelligence gathering and further access to the target network. Another tool deployed at this stage is tunneling software called LIGHTRAIL, which communicates via the Azure cloud.

While MINIBIKE is based on C++ and is capable of exfiltrating and uploading files and executing commands, MINIBUS acts as a more “robust successor” with improved exploration features.

“The information collected on these entities is important to Iranian strategic interests and can be used for both espionage and kinetic operations,” Mandiant said.

“The evasion methods deployed in this campaign, namely the custom lures combined with the use of cloud infrastructure for C2, could make it challenging for network defenders to prevent, detect and mitigate this activity.”


CrowdStrike, in his Global Threat Report for 2024, described how “faketivists linked to Iranian state nexus opponents and hacktivists who branded themselves as ‘pro-Palestinian’ focused on attacking critical infrastructure, Israeli aerial projectile warning systems, and activities intended for information operations in 2023.”

This includes Banished Kitten, which unleashed the BiBi wiper malware, and Vengeful Kitten, an alias for Moses Staff that has claimed data-wiping activities against the industrial control systems (ICS) of more than two dozen companies in Israel.

That said, Hamas-affiliated opponents have been noticeably absent from conflict-related activities, something the cybersecurity firm has attributed to the region’s likely power and internet disruptions.

#Iranlinked #UNC1549 #hackers #target #Middle #East #aerospace #defense #sectors

Notify of
Inline Feedbacks
View all comments
Previous Post
Ivanti VPN Flaws

Chinese hackers exploit Ivanti VPN flaws to deploy new malware

Next Post
Privacy-Compliant Customer Data Platform (CDP)

Build your privacy-compliant customer data platform (CDP) with first-party data

Related Posts