UNC1860, the emerging Iranian cyber threat in global security

The Ministry of Intelligence and Security (MOIS) in Iran is allegedly linked to an advanced persistent threat (APT) group known as UNC1860. This group plays a pivotal role in facilitating initial access to networks across the Middle East, enabling further cyber intrusions.

UNC1860 is part of a broader web of Iranian cyber activity, with ties to other well-known threat actors such as Storm-0861, ShroudedSnooper, and Scarred Manticore.

Furthermore, the threat group is notable for its use of specialised tools and passive backdoors, which allow it to maintain persistent access to targeted networks. The group’s primary focus is on high-value sectors, including government and telecommunications, where it can establish long-term footholds without detection.

First detected in July 2022, UNC1860 was associated with several destructive cyberattacks in Albania, involving ransomware strains like ROADSWEEP, backdoors such as CHIMNEYSWEEP, and wipers like ZEROCLEAR. The group also launched similar attacks in Israel, using new malware variants such as No-Justice and BABYWIPER.

Security researchers describe UNC1860 as a highly sophisticated threat actor. Two key tools in their arsenal are TEMPLEPLAY and VIROGREEN, malware controllers that enable other MOIS-linked hackers to remotely infiltrate victim networks via Remote Desktop Protocol (RDP). These tools provide third-party operators with capabilities for deploying custom payloads, conducting internal scans, and executing various post-exploitation activities within compromised environments.

 

UNC1860 has also demonstrated overlap with another Iranian APT group, APT34 (also known as Hazel Sandstorm or OilRig).

 

Both groups have targeted Iraq-based organisations, with UNC1860 leveraging initial access from opportunistic attacks on vulnerable internet-facing servers. Once inside a network, the group deploys web shells and droppers such as STAYSHANTE and SASHEYAWAY, which lead to the installation of more complex implants like TEMPLEDOOR and FACEFACE.

Among UNC1860’s post-exploitation tools, VIROGREEN is especially important, designed to exploit vulnerable SharePoint servers through CVE-2019-0604. The framework allows for the control of backdoors, command execution, and file transfers, all while maintaining remote access. Other tools in their suite include OATBOAT (a loader for shellcode payloads), TOFUDRV (a malicious Windows driver), and TUNNELBOI (a network controller for RDP management).

As tensions in the Middle East continue, UNC1860’s ability to secure initial access and maintain persistence makes it a significant player in Iran’s cyber operations. This growing threat, coupled with Iran’s recent cyber activities targeting US election campaigns, underscores the country’s increasingly aggressive approach to cyber warfare.