Iranian cyber attack/ShutterStock
Google Cloud company Mandiant revealed today (Wednesday) extensive espionage activity by a cyber group suspected of being Iranian.
The group, known as UNC1549, is apparently linked to Iran's Revolutionary Guards and has been active since at least June 2022.
The campaign is mainly directed against elements in the aviation, space and security sectors in the Middle East, and in particular in Israel and the United Arab Emirates.
The group may also attack elements in Turkey, India and Albania.
The intelligence gathered on these bodies is relevant to Iran's strategic interests, and may be used for espionage purposes as well as for kinetic (offensive) operations.
Use of content related to Hamas
As part of the attack, content that is directly linked to the war with Hamas was used.
The group impersonated the "Bring Them Home Now" movement, which calls for the return of the Israeli abductees from Hamas captivity, and distributed the damaged pizza in the name of MINIBUS through a fake website of the movement.
In addition, during the installation of the malware, the user is shown fake content (an image of a protest for the return of the abductees) designed to create legitimacy in the eyes of the user and disguise the malicious activity.
Apart from that, the group uses fake job offers to spread its harmfulness - especially in the fields of security and technology.
For example, the group used a website impersonating Boeing to distribute the harmful MINIBIKE, and also to steal passwords through fake login pages.
camouflage methods
The group uses a variety of methods to disguise its activity, including social engineering - sending messages and phishing emails and distributing fake websites for downloading harmful.
In addition, Microsoft's cloud infrastructure (Azure) is widely used, when communication with them may seem like a legitimate activity.
According to Google, using infrastructure located in Israel and the United Arab Emirates (in the same countries as the organizations the group attacks) makes it difficult to identify the group's malicious activity against those entities.
More on the same topic:
Iran
Cyber