Cybersecurity

Report Says Iranian Hackers Targeting Israeli Defense Sector

Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Next-Generation Technologies & Secure Development

Hackers Are Leveraging Israel-Hamas War to Carry Out Attacks, Researcher Tells ISMG

Report Says Iranian Hackers Targeting Israeli Defense Sector
Mandiant found suspected Iranian hackers targeting Middle Eastern defense workers. (Image: Shutterstock)

Cybersecurity researchers identified a suspected Iranian espionage campaign targeting aerospace, aviation and defense industries across the Middle East, including in Israel and the United Arab Emirates.

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors

Threat intelligence firm Mandiant published a report Tuesday night that links a threat actor tracked as UNC1549, allegedly associated with the Iranian Revolutionary Guard Corps, to a series of coordinated attacks targeting Middle East entities affiliated with the aerospace and defense sectors.

Ofir Rozmann, a senior researcher for Mandiant and a coauthor of the report, told Information Security Media Group that hackers “used decoys and lures” to gain initial access into targeted systems. They primarily used Microsoft Azure cloud infrastructure to communicate with their deployed back doors – a technique used to evade detection.

Tehran-affiliated hackers “are growing overtime in sophistication and conducting tailored cyberespionage and destructive campaigns,” Rozmann said. This campaign’s primary purpose appears to be espionage but may also support other activities such as “hack-and-leak operations or enabling kinetic warfare attacks.”

Mandiant researchers observed the alleged Iranian hacking group – also known as TortoiseShell, Crimson Sandstorm and Imperial Kitten – masquerading as part of the “Bring Them Home Now” movement, an Israeli-led effort calling for the return of hostages kidnapped by Hamas. The threat actors also used fake job recruiter sites, spear-phishing emails and social media correspondence to manipulate victims into downloading malicious payloads.

According to the report, the hackers targeted employees within the aviation and defense sectors with fake job offers for tech and defense-related positions – specifically, for people who work with thermal imaging. The hackers evaded detection through a series of techniques, including the use of servers located within the targeted countries, and by abusing the Microsoft Azure infrastructure.

“This suspected UNC1549 activity has been active since at least June 2022, and is still ongoing as of February 2024,” the report says. “While regional in nature and focused mostly in the Middle East, the targeting includes entities operating worldwide.”

The report suggests that Iranian hackers are using recent events such as the Israel-Hamas war to carry out increasingly advanced cyberattacks, all while effectively flying under the radar.

“The campaign was not active against Israel before August 2023,” Rozmann said. “Since August 2023 we have observed multiple malware variants as well as extensive infrastructure used by the campaign, suggesting the possibility that the actor’s activity became more prolific since that time.”

Iran has carried out an array of cyberattacks targeting Israeli critical infrastructure sectors and organizations in recent years, and it appeared to advance those campaigns after the Israeli-Hamas war began last year. Hackers linked to the IRGC have been associated with a string of recent cyberattacks targeting Israeli-made pressure-monitoring controllers used in U.S. water systems (see: Internet-Exposed Water PLCs Are Easy Targets for Iran).

“Our assessment is that this campaign is targeting high-profile organizations and aims for quality over quantity,” Rozmann told ISMG.