Iran-Linked UNC1549 Hackers Target Middle East Aerospace & Defense Sectors

February 28, 2024NewsroomCyber ​​Espionage / Malware

Aerospace and Defense Sectors

A threat actor in the Iran-nexus known as UNC1549 Alleged with medium confidence in a new set of attacks targeting aerospace, aviation, and defense industries in the Middle East, including Israel and the UAE

Other targets of cyber espionage activity likely include Turkey, India, and Albania, Google-owned Mandiant said in a new analysis.

UNC1549 is said to overlap with Smoke Sandstorm (formerly Bohrium) and Crimson Sandstorm (formerly Curium), the latter of which is a group affiliated with the Islamic Revolutionary Guard Corps (IRGC) also known as Imperial Kitten, TA456, Tortoiseshell, and Yellow Liderc .

“This suspected UNC1549 activity has been active since June 2022 and will continue until February 2024,” the company said. SAYS. “While regional in nature and focused mostly on the Middle East, the targeting includes entities that operate around the world.”


The attacks involved the use of Microsoft Azure cloud infrastructure for command-and-control (C2) and social engineering involving work-related baits to deliver two backdoors called MINIBIKE and MINIBUS.

Spear-phishing emails are designed to spread links to fake websites with content Israel-Hamas related content or false job offers, resulting in the deployment of a malicious payload. Fake login pages impersonating major companies to harvest credentials have also been observed.

Conventional backdoors, in establishing C2 access, act as a conduit for intelligence gathering and for further access to the targeted network. Another tool deployed at this stage is tunneling software called LIGHTRAIL that communicates using the Azure cloud.

While MINIBIKE is based on C++ and is capable of exfiltration and file upload, and command execution, MINIBUS serves as a more “strong successor” with improved reconnaissance features.

“The intelligence collected by these entities is related to Iran’s strategic interests and can be used for espionage as well as kinetic operations,” Mandiant said.

“The evasion techniques deployed in this campaign, which are tailored job-themed baits combined with the use of cloud infrastructure for C2, can make it challenging for network defenders to prevent, detect, and reduce this activity.”


CrowdStrike, in its Global Threat Report for 2024, described how “faketivists associated with enemies of the state-nexus of Iran and hacktivists branding themselves ‘pro-Palestinian’ are focused on targeting critical infrastructure, Israel’s aerial projectile warning system, and activity intended for operational information purposes in 2023.”

These include Banished Kitten, which released the BiBi wiper malware, and Vengeful Kitten, an alias for Moses Staff who claimed data-wiping activity against more than 20 industrial control system (ICS) companies. in Israel.

As such, Hamas-linked adversaries have been noticeably absent from conflict-related activity, something the cybersecurity firm attributes to the likely power and disruption of the region’s internet.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment