Iranian hackers lurking in Middle Eastern government and telecom networks, backdoors discovered


The Iranian threat actor UNC1860, affiliated with the country’s Ministry of Intelligence (MOIS), is a collector of specialized tooling and passive backdoors for gaining initial access and remaining in critical networks for prolonged periods, Google’s Mandiant warns.

The Google-owned security firm has observed UNC1860 specializing in initial access provision. The actor uses specialized tools to compromise networks on behalf of other Iranian threat groups, targeting the telecommunications and government sectors in the Middle East.

Reportedly, UNC1860 was behind attacks in Israel in late October 2023, and Albania in 2022, providing initial access. UNC1860 collaborates with other MOIS-affiliated groups such as APT34.

ADVERTISEMENT

Previously, Check Point researchers shed light on another Iranian threat actor, Void Manticore, that specializes in the destructive phase of the attacks, delivering payloads to erase critical information and corrupt systems.

Mandiant identified the specialized tooling used by UNC1860. Malware controllers have a graphic user interface, suited to facilitate a hand-off to other threat groups. Additionally, the threat actor maintains “an arsenal of utilities and collection of “main-stage” passive backdoors designed to gain strong footholds into victim networks and establish persistent, long-term access.

The collection reveals sophisticated reverse engineering capabilities. UNC1860 has crafted malware within the kernel of Windows, having very high-level access and control over the system. It was repurposed from a legitimate Iranian anti-virus software filter driver. Two malware controllers for remote access to victim networks are tracked as TEMPLEPLAY and VIROGREEN.

“UNC1860 is a formidable threat actor that likely supports various objectives ranging from espionage to network attack operations,” Mandiant says.

“This actor’s adeptness in gaining initial access to target environments represents a valuable asset for the Iranian cyber ecosystem that can be exploited to answer evolving objectives as needs shift.”

Like many other threat actors specializing in initial access, UNC1860 was observed scanning IP addresses in an attempt to identify exposed vulnerabilities. Those were predominantly located in Saudi Arabia. UNC1860 relies on a command-line tool to validate credentials across multiple domains, they also target VPN servers.

The hackers are opportunistic and try to exploit vulnerable internet-facing servers. They deploy a suite of implants that are designed to be stealthier than common backdoors.

“These implants demonstrate the group’s keen understanding of the Windows operating system (OS) and network detection solutions, reverse engineering capabilities of Windows kernel components, and detection evasion capabilities.”

ADVERTISEMENT

On compromised servers, UNC1860 selectively installs backdoors with GUI-operated controllers. These controllers can provide third-party actors, who have no prior knowledge about the target environment, with remote access to infected networks via Remote Desktop Protocol (RDP).

“These controllers additionally could provide third-party operators an interface that walks operators through how to deploy custom payloads and perform other operations such as conducting internal scanning and exploitation within the target network,” the report reads.