UNC1860

Also known as: UNC1860

UNC1860 is a persistent and opportunistic Iranian state-sponsored threat actor that is likely affiliated with Iranโ€™s Ministry of Intelligence and Security (MOIS). A key feature of UNC1860 is its collection of specialized tooling and passive backdoors that Mandiant believes supports several objectives, including its role as a probable initial access provider and its ability to gain persistent access to high-priority networks, such as those in the government and telecommunications space throughout the Middle East.

๐ŸŒ Country Iran

Introduction

UNC1860 is a persistent and opportunistic Iranian state-sponsored threat actor that is likely affiliated with Iranโ€™s Ministry of Intelligence and Security (MOIS). A key feature of UNC1860 is its collection of specialized tooling and passive backdoors that Mandiant believes supports several objectives, including its role as a probable initial access provider and its ability to gain persistent access to high-priority networks, such as those in the government and telecommunications space throughout the Middle East.

Activities and Tactics

Country of Origin: ๐Ÿ‡ฎ๐Ÿ‡ท Iran

Notable Campaigns

Information pending cataloguing.

Tactics, Techniques, and Procedures (TTPs)

Information pending cataloguing.

Notable Indicators of Compromise (IOCs)

No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.

Malware and Tools

  • SPACESHIP
  • Backdoor.Oldrea

Attribution and Evidence

Country of Origin: Iran Additional attribution information pending cataloguing.

References

References pending cataloguing.