UNC1860 and The Temple of Oats – Iran’s hidden hand in Middle Eastern Networks

MediaVideo

This session is a master class in piecing together seemingly unrelated tools and incidents into a single cohesive story about an uprising threat group, UNC1860. For years, UNC1860, a state sponsored Iranian threat actor, operated covertly, leaving behind a trail of tools and incidents that multiple security vendors could not attribute to a single entity. Through meticulous investigation, we were able to correlate the clues about this actor and expose not only its full arsenal but also its intent and tactics.

While remaining largely obscured despite its persistent targeting of governments, telecommunications and critical infrastructure entities across the Middle East since at least 2018, this group has in fact played the role of an advanced access broker employed by the Iranian government quite often. In this talk, we will shed light on the advanced aspects of the group’s activity. This includes their sophisticated use of Windows kernel-mode drivers that entailed repurposing Iranian AV drivers, as well as developing custom kernel implants that demonstrated the group’s extensive reverse engineering capabilities of Windows kernel components. Moreover, our research will reveal previously undisclosed tools extracted from victim systems that were used as webshells and passive backdoors controllers in production environments.

Drawing on Google Cloud – Mandiant’s real-world incident response experience in the Middle East, we will illustrate UNC1860’s distinct tactics within compromised environments, demonstrating how their activities facilitate operations for a large spectrum of Iranian threat actors. This includes destructive attacks against government networks that have garnered international attention and sophisticated espionage operations by MOIS affiliated APTs. By connecting the dots of UNC1860’s activities, we will unveil a critical component of Iran’s cyber strategy and the associated risks to organizations in the region and beyond.

By:
Stav shulman | Staff Security Researcher, Google Cloud

Full Abstract and Presentation Materials:
https://www.blackhat.com/eu-24/briefings/schedule/#unc1860-and-the-temple-of-oats—iran39s-hidden-hand-in-middle-eastern-networks-42360Black HatRead More