A cyber operation within Iran’s Ministry of Intelligence and Security (MOIS) has evolved into a highly sophisticated access broker for Iranian hackers, enabling persistent intrusions into telecommunications and government systems across the Middle East.
In a report published on Thursday, Mandiant, a division of Google, detailed the activities of a group known as UNC1860. According to researchers, this group has developed a suite of specialized tools and passive backdoors that continue to support Iranian cyber operations.
“These groups have reportedly provided initial access for destructive attacks, such as the BABYWIPER attack on Israel in October 2023 and the ROADSWEEP attack on Albania in 2022,” Mandiant explained. Although the direct involvement of UNC1860 in these attacks cannot be independently verified, the group’s tools appear to have been designed to facilitate such operations.
A key characteristic of UNC1860 is its extensive use of passive utilities that help achieve initial access and lateral movement while evading antivirus detection. These tools enable covert access to compromised systems for various purposes.
Mandiant described UNC1860 as a “formidable threat actor” likely involved in a range of activities, from espionage to network attacks. Evidence suggests the group’s tools have been used by other MOIS-linked hacking groups, such as APT34, which has been implicated in attacks on government systems in Jordan, Israel, Saudi Arabia, and more. Last week, APT34 was also linked to a large-scale operation targeting Iraqi officials.
Mandiant was engaged in 2020 to investigate incidents involving UNC1860, which exploited a victim’s network to scan for vulnerabilities in Saudi Arabia. The group’s interest in domains linked to Qatar was also uncovered.
Additionally, tools used in a March 2024 attack involving wiper malware on Israeli organizations have been tied to UNC1860. Once they gain a foothold, the group typically deploys stealthy implants designed to evade detection more effectively than common backdoors.
UNC1860’s tools have been previously highlighted by security companies like Cisco, Check Point, and Fortinet. Iran’s cyber operations have drawn increasing attention from researchers and governments as they grow more audacious.
On Wednesday, U.S. law enforcement agencies, including the FBI, revealed that Iranian hackers had attempted to steal and disseminate documents from former President Donald Trump’s campaign, though they were unsuccessful in spreading the information.
“With ongoing tensions in the Middle East, UNC1860’s expertise in gaining initial access makes it a valuable asset within Iran’s cyber ecosystem, capable of supporting evolving objectives,” Mandiant concluded.
