UNC1860 [1] [2] [3] [4] [5] [6], an Iranian advanced persistent threat (APT) group likely affiliated with the Ministry of Intelligence and Security (MOIS) [2], is a significant threat actor in the Middle East region.
Description
UNC1860 serves as an initial access facilitator for target networks in the Middle East [4], utilizing specialized tooling and passive backdoors to gain persistent access to high-priority networks in government and telecommunications sectors [2] [4]. The group has been linked to destructive cyber attacks in Albania and Israel [2], utilizing ransomware strains and wipers like BABYWIPER and ROADSWEEP. UNC1860 maintains an arsenal of passive backdoors [1] [2], including GUI-operated malware controllers like TEMPLEPLAY and VIROGREEN [2], to provide remote access to victim environments [2] [4]. The group has been observed pivoting to Iraq-based targets and has overlaps with APT34 [2], targeting organizations in Iraq [4]. UNC1860 leverages initial access gained through vulnerable internet-facing servers to drop web shells and implants with low detection rates [2]. The group also uses a custom framework called VIROGREEN to exploit vulnerable SharePoint servers [2]. Mandiant has identified a diverse collection of passive tools and main-stage backdoors used by UNC1860 for initial access [2], lateral movement [2] [5], and information gathering [2]. UNC1860’s implants demonstrate advanced knowledge of Windows OS [4], reverse engineering [1] [4], and detection evasion techniques [1] [4], making them a formidable threat actor capable of supporting various objectives in the Iranian cyber ecosystem [4]. UNC1860’s activities have been linked to ongoing attempts to influence and undermine US elections by stealing non-public material from political campaigns [2]. Iran’s cyber operations have been ramping up against perceived rivals [2], with groups like Lemon Sandstorm carrying out ransomware attacks [2]. CISA has warned of Iranian APT groups partnering with other threat actors to carry out cyber attacks in the Middle East region [2]. As tensions escalate in the Middle East [6], UNC1860’s advanced evasion techniques present a persistent challenge for cybersecurity defenses in the region [6].
Conclusion
UNC1860’s activities pose a significant threat to cybersecurity in the Middle East region, with implications for government and telecommunications sectors [2]. Mitigating these threats requires enhanced cybersecurity measures and collaboration among stakeholders to counter the evolving tactics of APT groups like UNC1860.
References
[1] https://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks
[2] https://thehackernews.com/2024/09/iranian-apt-unc1860-linked-to-mois.html
[3] https://irannewsupdate.com/news/terrorism/iranian-backdoors-spread-across-middle-east-telecoms-and-government-agencies-google-reports/
[4] https://securityaffairs.com/168656/apt/unc1860-provides-iran-linked-apts-access-middle-east.html
[5] https://www.scmagazine.com/brief/middle-east-backdoored-by-iranian-state-backed-hackers
[6] https://cybermaterial.com/irans-passive-backdoors-lurk-in-middle-east/