In a recent report by Mandiant, cybersecurity researchers revealed a suspected Iranian espionage campaign targeting aerospace, aviation, and defense industries across the Middle East. The threat actor, UNC1549, allegedly associated with the Iranian Revolutionary Guard Corps, coordinated attacks on entities affiliated with the aerospace and defense sectors, including in Israel and the United Arab Emirates. The hackers employed sophisticated techniques, utilizing Microsoft Azure cloud infrastructure to communicate with their deployed back doors, thereby evading detection. The primary purpose of this campaign appears to be espionage, with potential connections to hack-and-leak operations or enabling kinetic warfare attacks.
Mandiant researchers observed the Iranian hacking group, also known as TortoiseShell, Crimson Sandstorm, and Imperial Kitten, posing as part of the “Bring Them Home Now” movement, an Israeli-led effort advocating for the return of hostages kidnapped by Hamas. The threat actors utilized decoys, fake job recruiter sites, spear-phishing emails, and social media correspondence to manipulate victims into downloading malicious payloads. The report suggests a concerning escalation in the hackers’ sophistication, marked by their adaptability to recent events, such as the Israel-Hamas war, to carry out advanced cyberattacks.
Reference:
