An advanced persistent threat (APT) linked to the Ministry of Intelligence and Security (MOIS) in Iran has been identified as UNC1860, serving as the initial access point for various Iranian state hacking groups. This APT, according to Mandiant, focuses on breaching high-value networks in sectors such as government, media, academia, critical infrastructure, and especially telecommunications, before passing on access to other Iranian actors.
UNC1860 has collaborated with other groups like Scarred Manticore and OilRig, engaging in attacks across Iraq, Saudi Arabia, and Qatar, and involving in espionage activities targeting Middle Eastern telecommunications companies. Additionally, there have been instances of preparations for wiper attacks in Albania and Israel.
In a recent report by Mandiant, it was revealed that UNC1860 is responsible for managing around 30 custom malware tools, with indicators of compromise including a Web shell named “Stayshante” and a dropper called “Sasheyaway.” These tools are crucial for establishing an initial foothold in the target network and paving the way for more sophisticated backdoors.
UNC1860’s approach involves deploying a series of increasingly advanced backdoors, ranging from initial access tools like Stayshante and Sasheyaway to main-stage backdoors such as “Templedrop” and “Oatboat.” For high-value targets, even more sophisticated backdoors like “Tofupipe” and “Tofuload” are utilized, avoiding common API calls to evade detection.
One key aspect of UNC1860’s operations is its passive nature – the group does not engage in any destructive or exploitative behavior within the target network, which contributes to its stealthiness. By focusing on inbound traffic instead of maintaining outbound communications, UNC1860 remains undetected by traditional security measures.
UNC1860’s implants do not require a command-and-control (C2) infrastructure, as they solely listen to inbound requests from various sources including VPN nodes near the target and previous victims of attacks. This passive approach enables the group to operate covertly and persistently within target networks.
To counter UNC1860’s tactics, organizations are advised to enhance their ability to assess incoming network traffic effectively. By scrutinizing incoming traffic for signs of malicious activity and focusing on detecting unusual patterns, organizations can better defend against UNC1860’s stealthy operations.
As security experts continue to monitor and analyze UNC1860’s activities, the need for proactive measures to detect and mitigate such threats remains paramount in safeguarding critical networks and systems from sophisticated cyber intrusions.