A stealthy access broker for Iranian state hackers

An advanced persistent threat (APT) linked to Iran’s Ministry of Intelligence and Security (MOIS) provides initial access services to a multitude of Iranian state-owned hacking groups.

UNC1860 has been the gateway for attacks by notorious groups such as Healed Manticore And Oil platform (aka APT34, Helix Kitten, Cobalt Gypsy, Lyceum, Crambus or Siamesekitten). As Mandiant explained in a recent blog post, its focus is exclusively break through and establish a bridgehead into potentially valuable networks in high-value sectors—government, media, academia, critical infrastructure, and especially telecommunications—and then transferring access to other actors in the Iranian nation-state.

Over the years, UNC1860 has been associated with attacks against targets in Iraq, Saudi Arabia and Qatar; spying on Middle Eastern telecommunications companies; set the stage for wipeout attacks in Albania and Israel; and more.

The Many Backdoors of UNC1860

In March, Israel’s National Cyber ​​Directorate warned that wiper attacks were hitting organizations across the country, including managed service providers, local governments, and academic institutions. Indicators of compromise (IoCs) included a web shell called “Stayshante” and a dropper called “Sasheyaway,” two of about 30 custom malware tools run by UNC1860, the Mandiant report explains.

UNC1860 is not the one performing the wipe, or any other disruptive, destructive, or otherwise exploitative behavior in a target’s network. Its job is simply to gain that initial foothold, primarily by scanning for vulnerabilities in the targeted organizations’ public assets and then planting a series of increasingly serious and sophisticated backdoors.

Stayshante, Sasheyaway, and similar tools are its first step into the water and can be used to download larger backdoors like “Templedoor,” “Faceface,” and “Sparkload.” For its higher-value targets, UNC1860 will deploy its more sophisticated backdoors, like “Templedrop” or “Oatboat,” which load and execute payloads like “Tofupipe” and “Tofuload,” passive TCP-based listeners.

“To configure these listeners, they don’t even use the classic Windows API calls; they actually use undocumented tools from HTTP.sys, which is crazy,” says Stav Shulman, principal researcher at Mandiant by Google Cloud.

“Most backdoors exploit common API calls, so most engines will detect them,” Shulman says. “But if you’re determined enough, smart enough, and have extraordinary technical knowledge, you can exploit calls that aren’t documented by the Microsoft Developer Network (MSDN). So UNC1860 actually reverse-engineered them themselves, so you won’t detect their calls.”

UNC1860’s trick to stay undetectable

Besides its lack of destructive behavior, there is another reason why you hear about Scarred Manticore, Oil Rig, and Shrouded Snooper, but rarely about UNC1860: all of UNC1860’s implants are completely passive. It does not send any information from target networks and does not need to maintain any command and control (C2) infrastructure.

“Most current detections focus on outbound communications, but UNC1860 focuses only on inbound requests,” Shulman explains. “The inbound traffic they listen for can come from many stealthy sources (including) VPN nodes near the target, other victims of previous attacks, and other locations in a target’s network.”

In 2020, for example, the group was observed using one of its victims’ networks as a jumping-off point to scan for potentially vulnerable IP addresses in Saudi Arabia, verify various accounts and email addresses associated with Saudi Arabian domains in Qatar, and target VPN servers in the same region.

And, as Shulman points out, “to escalate the operation, all they need to do is send a command at a random time to activate the backdoor.” Since the group’s implants use encrypted HTTPS traffic, victims won’t be able to decrypt its commands or payloads.

Shulman advises organizations to focus on how best to control inbound network traffic.

“How do you detect (malicious traffic)? How do you decide if incoming traffic is malicious or not?” Shulman says. “Because even (when UNC1860 abuses) documented API calls that cybersecurity engines would detect, there are a lot of legitimate software that uses those same calls, so detecting malicious calls can be very confusing and lead to a lot of false positives. Focusing on incoming traffic is the key, I think, to detecting UNC1860 activity.”