Iran backdoors planted across Middle East telecoms, government agencies, Google says

A cyber operation housed within Iran’s Ministry of Intelligence and Security (MOIS) has become a sophisticated initial access broker for the country’s hackers, providing persistent entry to the systems of telecommunications and government organizations across the Middle East.

Mandiant, a unit of Google, published a report on Thursday about an operation they call UNC1860. Hackers connected to the unit have developed an impressive collection of specialized tools and passive backdoors that continue to assist other Iranian hacking operations, according to the researchers.  

“These groups have also reportedly provided initial access for destructive and disruptive operations that targeted Israel in late October 2023 with BABYWIPER and Albania in 2022 using ROADSWEEP,” Mandiant explained, noting that while they cannot independently confirm that UNC1860 was involved in both operations, they found tooling that was “likely designed to facilitate hand-off operations.”

Mandiant said a key feature of UNC1860 includes its “maintenance of this diverse collection of passive/listener-based utilities that support the group’s initial access and lateral movement goals.”

The tools are designed to evade anti-virus software and provide secret access to systems that can be used for a variety of purposes. 

Mandiant called UNC1860 a “formidable threat actor” that likely supports “various objectives ranging from espionage to network attack operations.”

The security company found evidence of UNC1860’s tools being used by other MOIS-affiliated hacking groups like APT34 — a prominent Iranian threat group responsible for intrusions of government systems in Jordan, Israel, Saudi Arabia and others. Last week, researchers uncovered a wide-ranging APT34 operation targeting government officials in Iraq. 

Mandiant said it was hired in 2020 to respond to incidents where UNC1860 used an unnamed victim’s network to scan for IP addresses and exposed vulnerabilities mostly located in Saudi Arabia. The company has also found evidence of UNC1860’s interest in domains belonging to Qatar. 

The company added that tools used in a March 2024 campaign involving wiper malware targeting Israeli organizations could also be attributed to UNC1860. 

“After obtaining an initial foothold, the group typically deploys additional utilities and a selective suite of passive implants that are designed to be stealthier than common backdoors,” Mandiant said. 

Other companies have spotlighted UNC1860’s tools in the past including Cisco, Check Point and Fortinet. 

Iran has faced increased interest from security researchers and government agencies as its cyber operations have become more brazen. 

On Wednesday night, the FBI and other law enforcement agencies said the country’s hackers stole documents from the campaign of former President Donald Trump and tried, but failed, to spread the information to rival campaigns and news outlets.

“As tensions continue to ebb and flow in the Middle East, we believe this actor’s adeptness in gaining initial access to target environments represents a valuable asset for the Iranian cyber ecosystem that can be exploited to answer evolving objectives as needs shift,” Mandiant said.