UNC1860: Iranian Hackers Continue Cyber Assault on Middle East

The Iranian hacker group UNC1860, allegedly linked to the Iranian Ministry of Intelligence and Security (MOIS), continues to carry out cyberattacks on government and telecommunications networks across the Middle East.

According to Mandiant, the group utilizes specialized tools and passive backdoors to provide other hackers with prolonged access to targeted systems, making UNC1860 a key player in initial network penetration.

UNC1860 facilitated access for destructive attacks on Israel in October 2023, using the BABYWIPER wiper, and on Albania in 2022 with the ROADSWEEP malware. While direct evidence of UNC1860’s involvement in these attacks remains absent, experts have noted the presence of TEMPLEPLAY and VIROGREEN tools, likely intended to transfer control during operations.

The core arsenal of UNC1860 includes a suite of passive backdoors and utilities, enabling the group to establish long-term footholds within victim networks. One such example is a Windows kernel driver, re-engineered from Iranian antivirus software, showcasing the group’s high-level expertise in reverse-engineering Windows components. The use of these tools allows the group to effectively evade detection by security systems.

Furthermore, UNC1860 actively exploits vulnerabilities in internet servers to install web shells and launch further attacks. For instance, in 2020, the group was observed using victim infrastructure to scan IP addresses in Saudi Arabia in search of vulnerabilities. The hackers also targeted VPN servers and tested credentials, demonstrating their intent for long-term control over systems.

In addition to operating as an independent cybercriminal entity, UNC1860 collaborates with another Iranian group, APT34, confirming their role in providing initial network access for subsequent attacks. A hallmark of UNC1860 is their use of unconventional data encoding and encryption methods to circumvent threat detection systems.

Mandiant also highlights that UNC1860 possesses extensive capabilities to exploit acquired access, including the management of compromised machines via specialized GUI controllers. These tools enable remote operators to execute commands, upload and download files, and establish connections for further network penetration.

Experts warn that UNC1860 remains one of the most dangerous cyber threats in the region, continuously evolving its tactics and tools. The ongoing tensions in the Middle East may only serve to heighten the group’s activity in the field.

In June 2024, Mandiant Managed Defense experts uncovered the cyber-espionage group UNC2970, linked to North Korea. Later that same month, Mandiant recorded phishing attacks where hackers impersonated an energy company and an aerospace organization.

Mandiant experts note that such attacks by UNC2970 aim to gain access to strategic information, and their activities intersect with another North Korean group, TEMP.Hermit, which has been active since 2013.

Earlier in 2023, Mandiant specialists reported that North Korean hackers targeted cybersecurity researchers and media organizations in the U.S. and Europe with fake job offers, leading to the deployment of three new malware families.