Close Menu
Cyber Updates

Iranian State APT Targets Telecoms and Satellites

Staff WriterBy Updated:No Comments6 Mins Read8 Views

Essential Insights

  1. Data Breaches: Iranian hackers, known as "Subtle Snail," have stolen sensitive data from 11 global telecommunications and aerospace companies in recent weeks.

  2. Targeted Strategy: Subtle Snail customizes attacks by impersonating recruiters to target personnel with access to sensitive systems, leading victims to divulge personal information.

  3. Modular Malware: The malware utilized, called "MiniBike," is modular and designed to evade detection by generating unique variants of its components for each attack.

  4. Espionage Objectives: The group’s goal includes gathering research and development information as well as call data records for international espionage, linking them to Iran’s state interests.

[gptAs a technology journalist, write a short news story divided in two subheadings, at 12th grade reading level about ‘Iranian State APT Blitzes Telcos & Satellite Companies’in short sentences using transition words, in an informative and explanatory tone, from the perspective of an insightful Tech News Editor, ensure clarity, consistency, and accessibility. Use concise, factual language and avoid jargon that may confuse readers. Maintain a neutral yet engaging tone to provide balanced perspectives on practicality, possible widespread adoption, and contribution to the human journey. Avoid passive voice. The article should provide relatable insights based on the following information ‘

In the span of just a couple of weeks, Iranian hackers have stolen highly sensitive data from 11 global telecommunications companies, satellite operators, and aerospace equipment manufacturers.

Cyber defenders have been tracking or otherwise fending off Middle Eastern cyberattacks by “Subtle Snail” (aka UNC1549) for around four years now. First, in 2021, it attacked a Bahrain-based IT integrator — perhaps, researchers thought, as a window to its more valuable clients. Later, it seemed to have developed a focus on aerospace and defense firms. Google researchers observed attacks in Israel and the United Arab Emirates (UAE), and evidence of further activity in Albania, India, and Turkey.

In a burst of recent attacks observed by researchers at Prodaft, Subtle Snail spread its operations across the Middle East, Europe, and North America. Besides aerospace and defense, a lot of its focus has been in the telecommunications industry, particularly satellite communications. A few of its latest victims have been massive companies serving millions of customers — big catches they managed to pull off by customizing every single attack to the nines.

Charming Kitten Spies on Telcos

Subtle Snail’s success can be attributed to the significant amount of effort it puts into customizing its attacks for each and every victim.

Related:Patch Now: Max-Severity Fortra GoAnywhere Bug Allows Command Injection

First, the group identifies key personnel in the organization it’s interested in. IT administrators, researchers, and developers make for ideal pickings, for their having greater-than-average access to sensitive systems and business data. The attackers do background research on these folks, reviewing their online profiles — particularly LinkedIn — and whatever other useful information they might have published on the Web. They also, of course, gather what they can about the target’s employer.

Next the attackers don the disguise of a recruiter on LinkedIn and reach out to their targets with fake job openings. These fake profiles, openings, and the phishing domains they connect to are all designed to impersonate either Telespazio or Safran Group, European companies in the outer space and aerospace technology sectors. Targets are attracted to the job openings that seem perfect for their career trajectories — What a coincidence! — so they follow the phishing links and start divulging their personal information.

The backdoor they end up contracting, “MiniBike,” is even more customized than the phishing lure they fell for. On its own, it’s a fairly standard piece of badware: gathering basic system data, establishing persistence, connecting to a command-and-control (C2) server, and supporting a dozen more standard fare malicious functions.

Related:SonicWall Breached, Firewall Backup Data Exposed

MiniBike’s primary purpose is to load additional components in the form of dynamic link libraries (DLLs). In a kind of comical exaggeration of a modular backdoor, each potential function it can carry out must be downloaded in the form of its own DLL, slightly changed so as to constitute its own variant. So if MiniBike deploys a keylogger on two different systems, they won’t look exactly the same.

“Operationally, the malware is modular and its functionally the same,” explains Halit Alptekin, chief intelligence officer at Prodaft. Still, in effect, “even a single-bit change produces a different hash, and many AV products struggle to detect those variants. Some vendors perform behavior analysis, but their detection rules are still not comprehensive enough to catch every variant.”

He adds, “We observe similar patterns across other Iran-nexus threat clusters. Initial access methods vary, but most campaigns still rely on DLL sideloading combined with custom malware that looks nearly identical.”

Subtle Snail: A Slime Trail of International Espionage

At the conclusion of its attack chain, Subtle Snail aims to steal a variety of data, including but not limited to:

Related:‘Scattered Lapsus$ Hunters,’ Others Announce End of Hacking Spree

System and network information, including insights into installed security programs, virtual private network (VPN) configuration files, and data pertaining to the user’s browser usage patterns

Credentials stored in password managers, files, Chromium browsers, and more

Personally identifying information (PII) in the form of photographs, passport scans, or wherever else such sensitive data might be found on a targeted system

Proprietary business data, in whatever form it might come in — confidential documents, customer databases, and source code repositories

The goal, overall, appears to be twofold: gathering information useful for research and development, and snatching call data records (CDR) for use in international espionage.

This tracks with what we know of Subtle Snail in general. The group is linked to Tortoiseshell (aka Unyielding Wasp), which in turn is believed to be part of Charming Kitten — one of those umbrella advanced persistent threats (APTs), like North Korea’s Kimsuky, that seems to catch blame for any and all attacks from its host country. Charming Kitten is associated with Iran’s Revolutionary Guard Corps’ (IRGC).

Attribution is always a challenge, Alpetkin warns. What he can say with relative certainty is that Iran’s hackers are split into distinct roles — malware developers and initial access operators — and that “many of those individuals are employed by security companies while also working for government customers.”

And Subtle Snail, by all accounts, is operating on behalf of state interests. He points out that “if documents are stolen from a telecom, the government is often the only available buyer for that type of data.”

‘. Do not end the article by saying In Conclusion or In Summary. Do not include names or provide a placeholder of authors or source. Make Sure the subheadings are in between html tags of

[/gpt3]

Discover More Technology Insights

Learn how the Internet of Things (IoT) is transforming everyday life.

Access comprehensive resources on technology by visiting Wikipedia.

CyberRisk-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.