Share this article on:
A state-sponsored Iranian hacking gang has been observed impersonating defence contractors Boeing and DJI, posting fake job ads in a wider phishing campaign targeting aerospace, aviation and defence industry members.
The campaign has been attributed to the UNC1549 Iranian hacking group “with moderate confidence” by cyber security firm Mandiant. The threat group has connections to the Tortoiseshell threat group, and both groups have connections to the Islamic Revolutionary Guard Corps.
According to Mandiant, the threat group aims to gain access to the systems of defence contractors through spear phishing and credential harvesting to engage in cyber espionage, particularly targeting organisations within Israel and the United Arab Emirates (UAE), as well as potentially India, Albania, Turkey, and other countries within the Middle East.
It does this through phishing emails with fake job offers delivered to staff of these industry organisations, which, when clicked on, deliver malware.
The hackers also established fake job sites with URLs like “1stemployer[.]com” or “careers-finder[.]com”.
The advertised jobs were for tech and defence-related roles, such as project manager positions in the areas of aviation, aerospace and thermal imaging.
“Mandiant observed this campaign deploy multiple evasion techniques to mask their activity, most prominently the extensive use of Microsoft Azure cloud infrastructure as well as social engineering schemes to disseminate two unique backdoors: MINIBIKE and MINIBUS,” wrote Mandiant in its report.
Once in, the hackers collect data that can leverage further or greater access to the targeted system.
Mandiant also observed hackers impersonating the “Bring Them Home Now” movement, a campaign that calls for the return of Israeli hostages that have been kidnapped by Hamas, with some of the emails directing users to a fake site for the campaign.
Mandiant’s latest observations come as cyber warfare and hacktivism play an increasing role in modern conflicts, such as in the Israel-Hamas War.
Anonymous Sudan is one such actor that has increased the frequency and amplitude of its operations in light of the conflict.
The group recently launched a distributed denial-of-service (DDoS) attack on OpenAI, crippling its ChatGPT service, among others, in response to anti-Palestine comments made by one of its executives, among other reasons.
“ChatGPT, you cannot fix your poor protection? Thank you Cloudflare for the worst protection,” it wrote in a post on Telegram shared by the group’s leader, Crush.
“We have hit ChatGPT & openAI strongly for many reasons,” said Anonymous Sudan.
“OpenAI’s cooperation with the occupation state of Israel and the CEO of OpenAI saying he’s willing to invest into Israel more, and his several meetings with Israeli officials like Netanyahu, as Reuters reported.
“AI is now being used in the development of weapons and by intelligence agencies like Mossad, and Israel also employs AI to further oppress the Palestinians.
“ChatGPT has a general biasness towards Israel and against Palestine as it has been exposed in twitter, in general there’s huge bias of the model towards some topics which has to be fixed.
“OpenAI is an American company, and we still are targeting any American company.”