A sophisticated cyberespionage campaign linked to an Iranian military group has been targeting aerospace and defense companies in Israel, the UAE, and other countries in the region. The attackers use fake job offers and political messages to lure victims and compromise their systems.
The threat group behind the campaign is known as UNC1549, Smoke Sandstorm, or Tortoiseshell, and is believed to be associated with the Iranian Revolutionary Guard Corps (IGRC). According to Google Cloud’s Mandiant, the group has been active since at least June 2022 and has customized its tactics for each targeted organization.
The group mainly uses two methods to infect the victims: spear phishing and watering hole attacks. In spear phishing, the attackers send emails to specific employees, posing as recruiters or colleagues, and offer them attractive job opportunities or technical projects. The emails contain malicious links or attachments that lead to credential harvesting or malware installation.
In watering hole attacks, the attackers compromise legitimate websites that are frequented by the target audience, such as news sites or forums. The compromised sites redirect the visitors to fake landing pages that display political messages or job offers, and prompt them to download malicious files or enter their credentials.
The malware used by the group is a backdoor program called MINIBIKE or its newer variant, MINIBUS. The malware allows the attackers to access the infected systems, execute commands, upload and download files, and communicate with a command-and-control server hosted on cloud infrastructure.
What the Attackers Want
The main goal of the cyberespionage campaign is to steal sensitive information and intellectual property from the aerospace and defense sectors in the Middle East. The attackers are likely interested in gaining insights into the military capabilities, strategies, and plans of their adversaries, as well as obtaining advanced technologies and know-how.
The campaign also has a political dimension, as the attackers try to influence the public opinion and the regional dynamics by spreading propaganda and misinformation. The fake landing pages used by the group display messages that support the Iranian regime and its allies, and criticize the Israeli and UAE governments and their policies.
The campaign reflects the ongoing tensions and conflicts in the Middle East, and the increasing role of cyberspace as a battleground for espionage, sabotage, and influence operations. The attackers demonstrate a high level of sophistication, resources, and persistence, and pose a serious threat to the security and stability of the region.
How to Protect Against the Attack
The cyberespionage campaign is difficult to detect and track, as the attackers use various techniques to evade security measures and hide their traces. However, there are some steps that can be taken to reduce the risk of falling victim to the attack:
- Be vigilant and cautious when opening emails or visiting websites that offer job opportunities or technical projects, especially if they are unsolicited or unexpected. Verify the sender’s identity and the legitimacy of the offer before clicking on any links or attachments.
- Use strong and unique passwords for different accounts and services, and enable multi-factor authentication whenever possible. Do not reuse or share your credentials with anyone, and change them regularly.
- Keep your systems and applications updated with the latest security patches and antivirus software. Scan your devices for any signs of malware or suspicious activity, and report any incidents to your IT department or security team.
- Educate yourself and your colleagues about the common signs and methods of phishing and watering hole attacks, and how to avoid them. Follow the best practices and policies of your organization regarding cybersecurity and information security.