Stav Shulman

UNC1860 & The Temple of Oats – Iran’s hidden hand in Middle Eastern Networks

This presentation will piece together seemingly unrelated tools and incidents into a single cohesive story about an uprising threat group, UNC1860. For years, UNC1860, a state sponsored Iranian threat actor, operated covertly, leaving behind a trail of tools and incidents that multiple security vendors could not attribute to a single entity. Through meticulous investigation, we were able to correlate the clues about this actor that was able to stay in the shadows for a long time and expose not only its full arsenal but also its intent and tactics.

While remaining largely obscured despite its persistent targeting of governments, telecommunications and critical infrastructure entities across the Middle East since at least 2018, this group has in fact played the role of an advanced access broker employed by the Iranian government quite often. In this talk, we will shed light on the advanced aspects of the group’s activity. This includes their sophisticated use of Windows kernel-mode drivers that entailed repurposing Iranian AV drivers , as well as developing custom kernel implants that demonstrated the group’s extensive reverse engineering capabilities of Windows kernel components. Moreover, our research will reveal previously undisclosed tools extracted from victim systems that were used as webshells and passive backdoors controllers in production environments.

Drawing on Google Cloud Mandiant’s real-world incident response experience in the Middle East, we will illustrate UNC1860’s distinct tactics within compromised environments, demonstrating how their activities facilitate operations for a large spectrum of Iranian threat actors. This includes destructive attacks against government networks that have garnered international attention and sophisticated espionage operations by MOIS affiliated APTs. By connecting the dots of UNC1860’s activities, we will unveil a critical component of Iran’s cyber strategy and the associated risks to organizations in the region and beyond.

Stav Shulman is a Senior Researcher and Analyst for Google Cloud’s Mandiant with significant expertise in reverse engineering and long-term tracking and hunting of state-sponsored actors. Stav started her career in Incident Response and analysis of mobile malware, focusing on the Android operating system. In the last few years, she has been tracking and analyzing different malware families and threat actors operating against Middle Eastern targets, as well as operations performed by Middle Eastern threat actors. In recent years, Stav presented her research at various conferences including SAS, BlueHat, CyberWeek, ITDefense and BSidesTLV.