UNC1549’s Sophisticated Cyber Assaults on Aerospace and Defense Sectors
Since mid-2024, the Iranian-backed cyber threat group UNC1549 has intensified its attacks on aerospace, aviation, and defense organizations worldwide. Employing a dual-pronged strategy, the group combines meticulously crafted phishing campaigns with the exploitation of trusted connections between primary targets and their third-party suppliers. This method proves particularly effective against well-defended entities like defense contractors, as their vendors often present softer targets for initial compromise.
Evolution of Tactics
Operating from late 2023 through 2025, UNC1549 has demonstrated significant evolution in its operational methods. The group utilizes highly targeted, role-specific phishing emails to establish initial footholds within organizations. Once inside a network, they employ creative lateral movement techniques, including:
– Spear-Phishing with Stolen Source Code: By exfiltrating victim source code, UNC1549 crafts spear-phishing campaigns using lookalike domains that can bypass security proxies.
– Abuse of Internal Systems: The group exploits internal service ticketing systems to harvest credentials from unsuspecting employees, facilitating further infiltration.
Custom Tooling and Evasion Techniques
Google Cloud security analysts have identified that UNC1549 deploys custom tools specifically designed to evade detection and complicate forensic investigations. Notably, each post-exploitation payload carries a unique hash, even when multiple samples of the same backdoor variant appear within a single victim network. This level of customization underscores the group’s substantial resources and commitment to operational security.
Search Order Hijacking for Persistence
A technically significant aspect of UNC1549’s operations involves their use of search order hijacking for malware persistence. This technique involves placing malicious DLLs within legitimate software installation directories, allowing attackers to achieve persistent execution when administrators or users run the legitimate software. The group has successfully exploited this vulnerability in widely-used enterprise solutions, including FortiGate, VMWare, Citrix, Microsoft, and NVIDIA executables.
TWOSTROKE Backdoor
The TWOSTROKE backdoor exemplifies UNC1549’s technical sophistication. This custom C++ backdoor communicates through SSL-encrypted TCP connections on port 443, making it difficult to distinguish from legitimate traffic. Upon execution, TWOSTROKE generates a unique victim identifier by retrieving the fully qualified DNS computer name using the Windows API function GetComputerNameExW(ComputerNameDnsFullyQualified). This name undergoes XOR encryption using a static key, converts to lowercase hexadecimal, and extracts the first eight characters before reversing them to create the bot ID.
TWOSTROKE’s command set enables extensive post-compromise capabilities, including system information collection, dynamic DLL loading, file manipulation, and persistent backdoor functionality. The malware receives hex-encoded payloads from command servers containing multiple commands separated by @##@ delimiters. Commands range from file uploads and shell command execution to directory listing and file deletion operations.
Long-Term Persistence and Anticipation of Remediation
UNC1549’s campaign prioritizes long-term persistence and anticipates investigator response. They strategically deploy backdoors that remain dormant for months, activating only after victims attempt remediation. This approach, combined with extensive reverse SSH shell usage and domains mimicking victim industries, creates a challenging operational environment for defenders.
Indicators of Compromise (IOCs)
Organizations should be vigilant for the following IOCs associated with UNC1549’s activities:
– Phishing Emails: Emails that appear to be from legitimate aerospace and defense companies but contain malicious links or attachments.
– Suspicious DLLs: Presence of unexpected DLL files in software installation directories, particularly those associated with FortiGate, VMWare, Citrix, Microsoft, and NVIDIA.
– Unusual Network Traffic: SSL-encrypted TCP connections on port 443 to unknown or suspicious IP addresses.
– Dormant Backdoors: Malware that remains inactive for extended periods before initiating communication with command and control servers.
Mitigation Strategies
To defend against UNC1549’s sophisticated tactics, organizations should implement the following measures:
1. Employee Training: Conduct regular training sessions to educate employees about phishing attacks and the importance of verifying email sources.
2. Software Integrity Checks: Regularly verify the integrity of software installation directories to detect unauthorized DLLs.
3. Network Monitoring: Implement robust network monitoring to identify unusual SSL-encrypted traffic patterns.
4. Incident Response Planning: Develop and regularly update incident response plans to quickly address potential breaches.
5. Patch Management: Ensure all software and systems are up-to-date with the latest security patches to mitigate known vulnerabilities.
Conclusion
UNC1549’s operations highlight the evolving landscape of cyber threats targeting critical industries. Their sophisticated techniques, including custom tooling and strategic persistence, underscore the need for organizations to adopt comprehensive cybersecurity strategies. By staying informed about emerging threats and implementing proactive defense measures, organizations can better protect themselves against such advanced adversaries.
