A recent report by Mandiant, a unit of Google, has exposed an Iranian cyber operation called UNC1860 that provides persistent entry to the systems of telecommunications and government organizations across the Middle East. This operation is housed within Iran’s Ministry of Intelligence and Security (MOIS) and serves as an initial access broker for the country’s hackers.
According to Mandiant, UNC1860 has developed a collection of specialized tools and passive backdoors that continue to assist other Iranian hacking operations. These groups have reportedly provided initial access for destructive and disruptive operations targeting Israel and Albania in 2022 and 2023, respectively.
A key feature of UNC1860 is its maintenance of a diverse collection of passive/listener-based utilities that support the group’s initial access and lateral movement goals. These tools are designed to evade anti-virus software and provide secret access to systems that can be used for various purposes, including espionage and network attack operations.
Mandiant found evidence of UNC1860’s tools being used by other MOIS-affiliated hacking groups, such as APT34, which has targeted government systems in Jordan, Israel, Saudi Arabia, and others. The company also discovered a wide-ranging APT34 operation targeting government officials in Iraq.
The security firm was hired in 2020 to respond to incidents where UNC1860 used an unnamed victim’s network to scan for IP addresses and exposed vulnerabilities mostly located in Saudi Arabia. Mandiant has also found evidence of UNC1860’s interest in domains belonging to Qatar.
In addition, the company linked UNC1860 to a March 2024 campaign involving wiper malware targeting Israeli organizations. After obtaining an initial foothold, the group typically deploys additional utilities and a selective suite of passive implants that are designed to be stealthier than common backdoors.
Other companies have previously spotlighted UNC1860’s tools, including Cisco, Check Point, and Fortinet. Iran has faced increased interest from security researchers and government agencies as its cyber operations have become more brazen.
Source: https://therecord.media/iran-backdoors-planted-across-middle-east-telecoms-government-orgs