Summary: UNC1860 is an Iranian state-sponsored threat actor linked to the Ministry of Intelligence and Security, known for its sophisticated tooling and persistent access to high-priority networks in the Middle East. The group has been involved in initial access operations and has demonstrated advanced capabilities in espionage and network attacks.
Threat Actor: UNC1860 | UNC1860
Victim: Various entities in the Middle East | Middle Eastern government and telecommunications sectors
Key Point :
- UNC1860 utilizes custom GUI-operated malware controllers, TEMPLEPLAY and VIROGREEN, to facilitate remote access for external actors.
- The group has demonstrated its ability to gain persistent access through specialized backdoors and tools, including web shells like STAYSHANTE and droppers like SASHEYAWAY.
- There is evidence of collaboration with other Iranian threat actors, such as APT34, indicating a network of support for lateral movement and operational pivoting.
- UNC1860 has targeted entities in Saudi Arabia and Qatar, showcasing its focus on regional vulnerabilities and espionage operations.
Executive Summary
UNC1860 is a persistent and opportunistic Iranian state-sponsored threat actor that is likely affiliated with Iran’s Ministry of Intelligence and Security (MOIS). A key feature of UNC1860 is its collection of specialized tooling and passive backdoors that Mandiant believes supports several objectives, including its role as a probable initial access provider and its ability to gain persistent access to high-priority networks, such as those in the government and telecommunications space throughout the Middle East.
UNC1860’s tradecraft and targeting parallels with Shrouded Snooper, Scarred Manticore, and Storm–0861, Iran-based threat actors publicly reported to have targeted the telecommunications and government sectors in the Middle East. These groups have also reportedly provided initial access for destructive and disruptive operations that targeted Israel in late October 2023 with BABYWIPER and Albania in 2022 using ROADSWEEP. Mandiant cannot independently corroborate that UNC1860 was involved in providing initial access for these operations. However, we identified specialized UNC1860 tooling including GUI-operated malware controllers, which are likely designed to facilitate hand-off operations, further supporting the initial access role played by UNC1860.
UNC1860 additionally maintains an arsenal of utilities and collection of “main-stage” passive backdoors designed to gain strong footholds into victim networks and establish persistent, long-term access. Among these main-stage backdoors includes a Windows kernel mode driver repurposed from a legitimate Iranian anti-virus software filter driver, reflecting the group’s reverse engineering capabilities of Windows kernel components and detection evasion capabilities. These capabilities demonstrate that UNC1860 is a formidable threat actor that likely supports various objectives ranging from espionage to network attack operations. As tensions continue to ebb and flow in the Middle East, we believe this actor’s adeptness in gaining initial access to target environments represents a valuable asset for the Iranian cyber ecosystem that can be exploited to answer evolving objectives as needs shift.
Teamwork Makes the Dream Work: UNC1860’s Role as an Initial Access Provider
Mandiant identified two custom, GUI-operated malware controllers tracked as TEMPLEPLAY and VIROGREEN that we assess were used to provide a team outside of UNC1860 remote access to victim networks. This tooling, coupled with public reporting and evidence suggesting that the group collaborates with MOIS-affiliated groups such as APT34, strengthens the assessment that UNC1860 acts as an initial access agent.
Using Sustained Access to Support Initial Access Operations
In 2020, Mandiant responded to an engagement in which UNC1860 used the victim’s network as a staging area to conduct additional scanning and exploitation operations against unrelated entities. The actor was observed scanning IP addresses predominantly located in Saudi Arabia in an attempt to identify exposed vulnerabilities. UNC1860 also used a command-line tool to validate credentials of accounts and email addresses across multiple domains belonging to Qatari and Saudi Arabian entities, and later targeted VPN servers of entities in the region.
UNC1860 Overlaps with APT34
Mandiant responded to several engagements in 2019 and 2020 in which organizations compromised by suspected APT34 actors were previously compromised by UNC1860. Similarly, organizations previously compromised by suspected APT34 actors were later compromised by UNC1860, suggesting the group may play a role in assisting with lateral movement. Mandiant additionally identified recent indications of operational pivoting to Iraq-based targets by both APT34-related clusters and UNC1860.
Web Shell and Droppers
UNC1860 web shells and droppers, such as STAYSHANTE and SASHEYAWAY, deployed and placed on compromised servers by the group after gaining initial access have the potential to be used in hand-off operations based on their functionality. In March 2024, the Israeli National Cyber Directorate was alerted to wiper activity targeting Israeli entities across various sectors in Israel, including managed service providers, local governments, and academia; technical indicators included the unique STAYSHANTE web shell and the SASHEYAWAY dropper we attribute to UNC1860.
-
STAYSHANTE is typically installed using names masquerading as Windows server file names or dependencies, and is controlled by the VIROGREEN custom framework described as follows.
-
SASHEYAWAY has a low detection rate that allows for the smooth execution of full passive backdoors, such as TEMPLEDOOR, FACEFACE, and SPARKLOAD, embedded within it.
Custom, GUI-Operated Malware Controllers
UNC1860 GUI-operated malware controllers TEMPLEPLAY and VIROGREEN could provide third-party actors who have no previous knowledge of the target environment the ability to remotely access infected networks via RDP and to control previously installed malware on victim networks with ease. These controllers additionally could provide third-party operators an interface that walks operators through how to deploy custom payloads and perform other operations such as conducting internal scanning and exploitation within the target network.
Source: https://cloud.google.com/blog/topics/threat-intelligence/unc1860-iran-middle-eastern-networks