A gang of hackers linked to Iran is targeting aerospace and defense firms in Israel and the UAE, according to Google’s security arm.
The group named UNC 1549 – also known as Smoke Sandstorm and Tortoiseshell – have been using a variety of tactics to breach corporate security.
These include ‘spear fishing’ – sending links that appear to relate to a targeted individual’s interests – and ‘watering hole attacks’, in which hackers infect websites they believe someone to visit regularly.
UNC 1549 is known to be linked to the Iranian Revolutionary Guard Corps (IGRC).
According to Jonathan Leathery, principal analyst for Mandiant, the group's tactics make detection challenging: "The most notable part is how illusive this threat can be to discover and track — they clearly have access to significant resources and are selective in their targeting."
Microsoft has previously observed a shift in tactics by Iranian threat groups, particularly targeting IT services firms as a means to infiltrate government networks. Smoke Sandstorm, for instance, compromised a Bahrain-based IT integrator in 2021, indicating a broader strategic agenda.
Initially concentrating on IT service providers, UNC1549 has broadened its scope to encompass aerospace and defense sectors. Its operations transcend the Middle East, suggesting potential links to cyberattacks in Albania, India, and Turkey.
"The intelligence collected on these entities is of relevance to strategic Iranian interests, and may be leveraged for espionage as well as kinetic operations," Google wrote. "This is further supported by the potential ties between UNC1549 and the Iranian IRGC."
Companies are urged to enhance cybersecurity measures, including blocking untrusted links and providing comprehensive awareness training to employees.