Government

Iran hacking group impersonates defense firms, hostage campaigners

A hacking campaign linked to the Islamic Revolutionary Guard Corps is targeting firms in the defense sector with a pair of new backdoors.

By AJ Vicens

February 27, 2024

A picture taken from the plain of Khiam shows a man waving an Iranian flag as smoke rises from burning dry grass, following skirmishes between Lebanese youths and Israeli soldiers, at a rally to mark the 23rd anniversary of Israel's withdrawal from Lebanon, on May 25, 2023. (Photo by MAHMOUD ZAYYAT/AFP via Getty Images)

An Iranian-sponsored cyberespionage unit is impersonating major brands like Boeing and the Chinese drone manufacturer DJI as part of a social engineering and phishing campaign targeting the aerospace, aviation and defense industries across the Middle East, researchers with Mandiant said late Tuesday.

The Iranian hacking group has also been observed employing a fake website playing on the Israel-Hamas war, using the “Bring Them Home Now!” slogan associated with a campaign to free hostages held by Hamas. The website is the latest example of the way in which Iranian hacking groups are using the conflict between Israel and Hamas to carry out opportunistic attacks linked to the fighting.

The Iranian campaign relies on phony job offers from major international companies and the fake hostage-themed website to funnel targets to compromised websites designed to either harvest credentials or deliver one of two previously unreported and unique backdoors dubbed “MINIBUS” and “MINIBIKE,” the researchers said.

Fake website deployed by Iranian-sponsored cyberespionage group (Mandiant).

The current campaign dates to at least June 2022 and remains active. It has mostly targeted Israel, the United Arab Emirates and, potentially Turkey, India and Albania, the researchers said.

The unit behind the campaign is tracked as UNC1549 by Mandiant and the infrastructure described by Mandiant overlaps with the hacking groups dubbed Tortoiseshell and Imperial Kitten. The unit is likely linked to the Islamic Revolutionary Guard Corps and has a history of using fake job offers and similar lures in social engineering campaigns going back years.

In July 2021, for instance, Facebook announced the disruption of one of the group’s campaigns that used accounts on the social media platform to pose as recruiters to target U.S. military members. An October 2023 PwC analysis noted that the group is known to employ both custom and off-the-shelf malware to achieve its espionage goals, which includes credential harvesting and data exfiltration.

The current campaign uses Microsoft Azure cloud infrastructure for command and control and hosting functions, “making it difficult to discern the activity from legitimate network traffic,” the researchers said.

Iran hacking group impersonates defense firms, hostage campaigners

More Like This

Cyberattack hits Georgia county at center of voting software breach

Campaigns and political parties are in the crosshairs of election meddlers

Iranian nationals charged with hacking U.S. companies, Treasury and State departments

Top Stories

FCC wants rules for ‘most important part of the internet you’ve probably never heard of’

More Scoops

Google: Iranian, regional hacking operations that target Israel remain opportunistic but focused

Microsoft: Iran is refining its cyber operations

U.S. government sanctions Iranian officials over Pennsylvania water facility hack

Israel-linked hacking group claims attack on Iranian gas pumps

Russian information operation uses US celebrity Cameos to attack Zelensky

Anti-Israel hacking campaign highlights danger of internet-connected devices

Pennsylvania water facility hit by Iran-linked hackers

Latest Podcasts

How Troy Hunt knows if you’ve been hacked and Washington tries to understand AI

Why pig butchering is the worst kind of online scam

How the FBI fights ransomware

Rumman Chowdhury on AI red-teaming; a Sisense supply chain attack

Government

Technology

Threats

Geopolitics