Threats Feed|UNC1860|Last Updated 02/10/2024|AuthorCertfa Radar|Publish Date20/09/2024

UNC1860 Targets Middle Eastern Networks with Specialized Tooling

  • Actor Motivations: Espionage,Exfiltration
  • Attack Vectors: Compromised Credentials,Vulnerability Exploitation,Backdoor,Malware
  • Attack Complexity: Very High
  • Threat Risk: High Impact/High Probability

Threat Overview

UNC1860, an Iranian state-sponsored group likely affiliated with the Ministry of Intelligence and Security (MOIS), targets government and telecommunications sectors in the Middle East, particularly in Saudi Arabia, Qatar, and Israel. The group acts as an initial access provider, exploiting vulnerabilities in internet-facing servers and deploying web shells like STAYSHANTE. Custom tools, such as TEMPLEPLAY and VIROGREEN, allow for remote access and further exploitation. UNC1860's operations are characterised by passive backdoors, credential validation, and stealthy malware that facilitates long-term persistence and hand-off to other threat actors. It's likely that the group has supported disruptive campaigns in the region.

Reference and Credit: Mandiant - September 2024

UNC1860 and the Temple of Oats: Iran’s Hidden Hand in Middle Eastern Networks

Detected Targets

TypeDescriptionConfidence
SectorGovernment Agencies and Services
Verified
SectorTelecommunication
Verified
RegionAlbania
Verified
RegionIsrael
Verified
RegionQatar
Verified
RegionSaudi Arabia
Verified
RegionMiddle East Countries
Verified

Extracted IOCs

  • 07db3058e32fe5f36823dc7092cd7d5b
  • 0c93cac9854831da5f761ee98bb40c37
  • 0c9ff0db00f04fd4c6a9160bffd85a1d
  • 1176381da7dea356f3377a59a6f0e799
  • 126bc1c30fba27f8bf67dce4892b1e8c
  • 14e54ff4805840e656efb8cd38de4751
  • 17b27e6aa0ab6501f11bb4d2e0f829ff
  • 1e6679cd25d1bb127a0bec665adcf21e
  • 1e896f026246872b2feb4f8e3e093815
  • 2398a83f10329a107801d3d23d06f7cb
  • 286bd9c2670215d3cb4790aac4552f22
  • 2cece71e107d12ffd74b2fb24bf339a6
  • 2e803d28809be2a0216f25126efde37b
  • 31f2369d2e38c78f5b3f2035dba07c08
  • 3d5d05f230ae702c04098de512d93d48
  • 3dd829fb27353622eff34be1eabb8f18
  • 4029bc4a06638bb9ac4b8528523b72f6
  • 41f4732ed369f2224a422752860b0bc5
  • 46804472541ed61cc904cd14be18fe1d
  • 490590bfdeeedf44b3ae306409bb0d03
  • 4abcf21b63781a53bbc1aa17bd8d2cbc
  • 4b2c78bb2c439998cff0cc097a14b942
  • 4dd6250eb2d368f500949952eb013964
  • 4de802f7e61cb8c820a02e042b58b215
  • 57c916da83cc634af22bde0ad44d0db3
  • 57cd8e220465aa8030755d4009d0117c
  • 6626dbe74acd15d06ff6900071ef240c
  • 69fd67c115349abb4a313230a1692642
  • 73fb0fe5cd96a14a4f85639223aec6a8
  • 7b2fa099d51fa3885766f6d60d768748
  • 7f5f5f290910d256e6b012f898c88bf3
  • 85427a8a47c4162b48d8dfb37440665d
  • 929b12bc9f9e5f8e854de1d46ebf40d9
  • a038975255d3dda636d86ccd307f7838
  • a3ea0d13848a104c28d035a9d518acc2
  • a500561c0b374816972094c2aa90da2a
  • a65ee1a82975ee4c8d4e70219e1bfff5
  • a7693e399602eb79db537c5022dd1e01
  • a90236e4962620949b720f647a91f101
  • b219672bcd60ce9a81b900217b3b5864
  • b26d54b7da7b2bf600104f69da4ea00f
  • b34883fb1630db43e06a38cebfa0bce2
  • b4b1e285b9f666ae7304a456da01545e
  • bd6464f12bb6f7f02b6ffebb363d8e5f
  • c11a4e4a2d484513f79bd127a0387b0c
  • c21eefc65cda49f17ddd1d243a7bffb5
  • c50ae2c4b76f0d5724ec240568c78c4f
  • c517519097bff386dc1784d98ad93f9d
  • c57e59314aee7422e626520e495effe0
  • c8fa0ce3ae6a13af640607ea606c55f9
  • c90ec587e3333dabb647ebc182673460
  • ca3f0d25f7da0e8cde8e1f367451c77a
  • ce537dd649a391e52c27a3f88a0a8912
  • d1e45afbfd3424612b4a4218cc7357ef
  • d87ca3f830b8b53fde358bb64900f6af
  • d9719f6738dbfaa21be7f184512fe074
  • da0085a97c38ead734885e5cced1847f
  • e67687b4443f58d2b0a465e3af3caffe
  • e86e885e6c96ac72482741d8696c17fb
  • efe8043e1b4214640c5f7b5ddf737653
  • f0dfb7bf01c0412891da8fa2702f4c7b
  • f292e61774c267c3787fdfcace50ea7b
  • f89be788e4adf665acf1a8ef8fcaa133
  • fa1c6f7a5e02374b9d33de2578cb3399
  • fc90907e70f18c7f6a6b9d9599b6f97c
download

Tip: 65 related IOCs (0 IP, 0 domain, 0 URL, 0 email, 65 file hash) to this threat have been found.

Overlaps

UnknownState-Sponsored Cyberattacks Target Israeli Academia and Government Sectors

Source: Israel National Cyber Directorate - March 2024

Detection (two cases): 3d5d05f230ae702c04098de512d93d48, 69fd67c115349abb4a313230a1692642

UnknownUnveiling srvnet2: A Rootkit with Sophisticated Evasion and Injection Tactics

Source: darksys0x - June 2023

Detection (one case): 4dd6250eb2d368f500949952eb013964

Cobalt GypsyCobalt Gypsy Exploits Exchange Vulnerabilities in Persistent Cyber Campaign

Source: Secureworks - July 2021

Detection (one case): b34883fb1630db43e06a38cebfa0bce2

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

About Affiliation
UNC1860
View UNC1860's Insights