Unc1549

Threat Actor updated 6 months ago (2024-05-04T17:40:49.121Z)

Download STIX

Preview STIX

UNC1549, also known as Smoke Sandstorm and Tortoiseshell, is a suspected Iranian threat actor targeting the aerospace and defense sectors in the Middle East, specifically Israel and the United Arab Emirates. The group's activities have been discovered and tracked by Google Cloud’s Mandiant, who have linked it to a series of spear phishing and watering-hole attacks aimed at credential harvesting and malware distribution. These attacks are highly customized for each targeted organization, indicating a high level of research and preparation by UNC1549. The campaign orchestrated by UNC1549 also has potential implications for other countries including Turkey, India, and Albania. The threat actor has been observed exploiting Microsoft Azure Cloud services to carry out its attacks on defense sectors. The infrastructure used in these campaigns overlaps with those previously associated with hacking groups dubbed Tortoiseshell and Imperial Kitten. Despite this overlap, Mandiant attributes the recent cyberespionage campaign with medium confidence to UNC1549, suggesting that while it's likely this group is responsible, there's not enough evidence to completely rule out other actors. In response to UNC1549's activities, cybersecurity experts recommend companies block untrusted links in emails and provide up-to-date awareness training to employees on the latest phishing methods. This is due to UNC1549's reliance on spear phishing techniques which often involve sending deceptive emails to trick recipients into revealing sensitive information. Given the strategic sectors targeted by UNC1549, its activities pose significant security risks and require comprehensive defensive measures.

Description last updated: 2024-05-04T17:31:36.119Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Imperial Kitten is a possible alias for Unc1549. Imperial Kitten, also known as Tortoiseshell and UNC1549, is a significant threat actor identified by cybersecurity firms CrowdStrike and Mandiant. The group has been associated with various malicious activities, including the distribution of malware through SWC, and the use of IMAPLoader and other	2
Tortoiseshell Group is a possible alias for Unc1549.	2
Tortoiseshell is a possible alias for Unc1549. Tortoiseshell is a prominent threat actor associated with multiple Iranian Advanced Persistent Threat (APT) groups, including MASN. It has been linked to a multi-year cyberattack campaign that targeted over a dozen US companies and government entities, including the Department of the Treasury. The c	2
Smoke Sandstorm is a possible alias for Unc1549. Smoke Sandstorm, also known as UNC1549 and Tortoiseshell, is a threat actor believed to be based in Iran. The group was discovered by Google Cloud's Mandiant and has been linked to spear phishing and watering-hole attacks aimed at credential harvesting and malware distribution. Smoke Sandstorm has b	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Iran

Google

Phishing

Malware

Reconnaissance

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Unc1549 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	8 months ago	Cyber Security Week in Review: March 1, 2024
CERT-EU	8 months ago	Weekly Cyber Security News Letter & Threats Roundup -March 24 \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	8 months ago	Iran hacking group impersonates defense firms, hostage campaigners
CERT-EU	8 months ago	Operationalizing NIST CSF 2.0; AI Models Run Amok \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
DARKReading	8 months ago	CISO Corner: Operationalizing NIST CSF 2.0; AI Models Run Amok
CERT-EU	8 months ago	'Illusive' Iranian Hacking Group Ensnares Israeli, UAE Aerospace and Defense Firms \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	8 months ago	Iran hacking group impersonates defense firms, hostage campaigners \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	8 months ago	Iran-Linked UNC1549 Hackers Target Middle East Aerospace & Defense Sectors
CERT-EU	8 months ago	Report Says Iranian Hackers Targeting Israeli Defense Sector
CERT-EU	8 months ago	Middle East subjected to suspected Iranian state-backed cyberespionage attacks
BankInfoSecurity	8 months ago	Report Says Iranian Hackers Targeting Israeli Defense Sector
DARKReading	8 months ago	'Illusive' Iranian Hacking Group Ensnares Israeli, UAE Aerospace and Defense Firms