Suspected Iranian cyber-espionage campaign targets Middle East aerospace, defense industries

An ongoing cyber-espionage campaign that uses unique malware against the aerospace, aviation and defense industries in the Middle East appears to have links to Iran, security researchers say.

The operation is targeting entities in Israel and the United Arab Emirates (UAE) — and potentially Turkey, India and Albania — according to analysts at Mandiant, the cybersecurity unit for Google Cloud.

The campaign began as early as June 2022, and appears to be linked to an Iranian group that Mandiant tracks as UNC1549, which overlaps with another hacking operation labeled Tortoiseshell.

That group’s hit list has included Israeli shipping companies and U.S. aerospace and defense companies, and reports have connected it to Iran’s Islamic Revolutionary Guard Corps (IRGC). Earlier this month, the U.S. sanctioned members of an IRGC unit for attacks against water utilities.

The researchers said the potential IRGC connection “is noteworthy given the focus on defense-related entities and the recent tensions with Iran in light of the Israel-Hamas war.” Iran openly supports the Hamas militants in Gaza.

Mandiant observed UNC1549 “deploy multiple evasion techniques to mask their activity, most prominently the extensive use of Microsoft Azure cloud infrastructure as well as social engineering schemes to disseminate two unique backdoors: MINIBIKE and MINIBUS.”

The MINIBIKE malware was first spotted in June 2022 and last seen in October 2023. It’s capable of “file exfiltration and upload, command execution, and more,” Mandiant said, and it uses Azure cloud infrastructure.

MINIBUS, meanwhile, is a “custom backdoor that provides a more flexible code-execution interface and enhanced reconnaissance features,” the researchers said. They first spotted it in August 2023 and saw it as recently as January.

The two pieces of malware cover the usual cyber-espionage checklist, including the harvesting of login credentials to enable further spying, or running other malicious code to clear the way for more activity.

The researchers also spotted a custom “tunneler” they labeled LIGHTRAIL. Tunnelers essentially hide malicious activity by wrapping internet traffic inside other traffic.