Campaigns
Operation DeepRoot: UNC1549’s Covert Espionage Against Aerospace and Defense Networks

Operation DeepRoot: UNC1549’s Covert Espionage Against Aerospace and Defense Networks

UNC1549DEEPROOTTWOSTROKEAerospaceEspionage
According to Google Cloud Mandiant, the Iran-nexus group UNC1549 is driving a long-running espionage campaign specifically targeting the aerospace, aviation, and defense industries. The attackers gain entry by mixing supply chain compromises with precise spear-phishing attacks. To maintain stealthy, long-term access, they utilize DLL search order hijacking to execute custom backdoors known as TWOSTROKE and DEEPROOT.

Indicators of Compromise

forcecodestore.com
airbus.usa-careers.com
thetacticstore.com
vcs-news.com
automationagencybusiness.com
tini-ventures.com
politicalanorak.com
aaaaaaaaaaaaaaaaaa.bbbbbb.cccccccc.ddddd.com
airplaneserviceticketings.com
airtravellog.com
fdtsprobusinesssolutions.com

APT Groups1

UNC1549IR

Summary of Actor:UNC1549 is a financially-motivated threat actor known for its ransomware operations. They have been active in targeting high-value organizations, leveraging sophisticated techniques to compromise systems. General Features:UNC1549 specializes in ransomware attacks, often employing advanced persistence mechanisms and data exfiltration techniques before deploying ransomware. They are known for their ability to move laterally within networks and evade detection. Related Other Groups: FIN12,Wizard Spider Indicators of Attack (IoA): Suspicious use of administrative tools Unusual network traffic patterns Data exfiltration to external servers Ransomware notes left on compromised systems Recent Activities and Trends: Latest Campaigns : UNC1549 was recently linked to a high-profile ransomware attack on a major healthcare provider, resulting in significant data breaches and operational disruptions. Emerging Trends : There is a noticeable shift towards targeting critical infrastructure and adopting double extortion tactics, where data is not only encrypted but also exfiltrated and threatened to be published unless ransom is paid.

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION


ID

Name

Analytic ID

Analytic Description

DET0500

Detecting Abnormal SharePoint Data Mining by Privileged or Rare Users

AN1380

Privileged or rarely used accounts performing bulk access to SharePoint files or metadata over a short time window, indicating potential scripted collection of sensitive internal documents.

DET0346

Detect Screen Capture via Commands and API Calls

AN0980




AN0981






AN0982

Unusual use of screen capture APIs (e.g., CopyFromScreen) or command-line tools to write image files to disk.

Invocation of built-in commands like screencapture or use of undocumented APIs from suspicious parent processes.


Use of tools like xwd or import to generate screenshots, especially under non-GUI parent processes.

DET0878

Detection of Spearphishing Link

AN2010

Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[49][50] Monitor for references to uncategorized or known-bad sites. URL inspection within email (including expanding shortened links and identifying obfuscated URLs) can also help detect links leading to known malicious sites.[3]

Furthermore, monitor browser logs for homographs in ASCII and in internationalized domain names abusing different character sets (e.g. Cyrillic vs Latin versions of trusted sites).
Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.
Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Furthermore, monitor network traffic for homographs via the use of internationalized domain names abusing different character sets (e.g. Cyrillic vs Latin versions of trusted sites). Also monitor and analyze traffic patterns and packet inspection for indicators of cloned websites. For example, if adversaries use HTTrack to clone websites, Mirrored from (victim URL) may be visible in the HTML section of packets.


DET0487

Distributed Password Spraying via Authentication Failures Across Multiple Accounts

AN1336

A high volume of authentication failures using a single password (or small set) across many different user accounts within a defined time window

DET0487

Distributed Password Spraying via Authentication Failures Across Multiple Accounts

AN1337

Authentication failures across different accounts using a repeated or similar password via SSH or PAM stack within a short window

DET0487

Distributed Password Spraying via Authentication Failures Across Multiple Accounts

AN1338

Multiple failed login attempts across different users using common password patterns (e.g., 'Welcome2023')

DET0487

Distributed Password Spraying via Authentication Failures Across Multiple Accounts

AN1339

Sign-in failures across enterprise SSO applications or SaaS platforms from same IP address using the same password against multiple user identities

DET0487

Distributed Password Spraying via Authentication Failures Across Multiple Accounts

AN1340

Authentication failure logs on routers/switches showing repeated use of default or common passwords across multiple accounts

DET0487

Distributed Password Spraying via Authentication Failures Across Multiple Accounts

AN1341

Repeated failed authentication attempts to container APIs, control planes, or login shells across many user names using same password

DET0487

Distributed Password Spraying via Authentication Failures Across Multiple Accounts

AN1342

Failed authentication attempts across user mailboxes using identical or common passwords (e.g., OWA brute attempts)

DET0487

Distributed Password Spraying via Authentication Failures Across Multiple Accounts

AN1343

SaaS applications receiving authentication failures for dozens of accounts using same password or login signature

Reports & References1

Observed Countries250

AD (23)
AE (49)
AF (369)
AG (659)
AI (951)
AL (15)
AM (195)
AO (406)
AQ (951)
AR (404)
AS (500)
AT (62)
AU (284)
AW (533)
AX (452)
AZ (719)
BA (928)
BB (740)
BD (428)
BE (589)
BF (518)
BG (193)
BH (152)
BI (160)
BJ (965)
BL (261)
BM (581)
BN (330)
BO (588)
BQ (371)
BR (551)
BS (656)
BT (377)
BV (553)
BW (58)
BY (462)
BZ (185)
CA (683)
CC (316)
CD (150)
CF (274)
CG (695)
CH (643)
CI (589)
CK (366)
CL (422)
CM (554)
CN (676)
CO (380)
CR (36)
CU (794)
CV (632)
CW (463)
CX (360)
CY (734)
CZ (697)
DE (421)
DJ (232)
DK (415)
DM (742)
DO (633)
DZ (700)
EC (762)
EE (512)
EG (801)
EH (746)
ER (588)
ES (542)
ET (525)
FI (113)
FJ (890)
FK (179)
FM (570)
FO (764)
FR (808)
GA (705)
GB (392)
GD (341)
GE (221)
GF (350)
GG (636)
GH (259)
GI (46)
GL (95)
GM (578)
GN (155)
GP (734)
GQ (370)
GR (4)
GS (976)
GT (723)
GU (836)
GW (747)
GY (692)
HK (819)
HM (528)
HN (843)
HR (555)
HT (449)
HU (497)
ID (761)
IE (363)
IL (630)
IM (863)
IN (27)
IO (581)
IQ (91)
IR (416)
IS (875)
IT (318)
JE (264)
JM (457)
JO (648)
JP (237)
KE (587)
KG (111)
KH (193)
KI (867)
KM (608)
KN (738)
KP (785)
KR (868)
KW (293)
KY (722)
KZ (895)
LA (21)
LB (853)
LC (130)
LI (548)
LK (515)
LR (444)
LS (42)
LT (475)
LU (833)
LV (867)
LY (670)
MA (719)
MC (387)
MD (968)
ME (786)
MF (638)
MG (100)
MH (222)
MK (788)
ML (640)
MM (325)
MN (513)
MO (403)
MP (203)
MQ (185)
MR (982)
MS (223)
MT (465)
MU (817)
MV (431)
MW (856)
MX (525)
MY (861)
MZ (554)
NA (867)
NC (513)
NE (624)
NF (673)
NG (684)
NI (248)
NL (529)
NO (811)
NP (69)
NR (752)
NU (136)
NZ (790)
OM (741)
PA (54)
PE (985)
PF (546)
PG (270)
PH (69)
PK (12)
PL (279)
PM (633)
PN (853)
PR (135)
PS (465)
PT (306)
PW (698)
PY (336)
QA (933)
RE (41)
RO (495)
RS (405)
RU (956)
RW (63)
SA (919)
SB (156)
SC (143)
SD (611)
SE (991)
SG (68)
SH (207)
SI (808)
SJ (594)
SK (469)
SL (2)
SM (223)
SN (856)
SO (153)
SR (651)
SS (567)
ST (10)
SV (974)
SX (190)
SY (992)
SZ (951)
TC (375)
TD (199)
TF (911)
TG (201)
TH (491)
TJ (761)
TK (601)
TL (606)
TM (43)
TN (946)
TO (536)
TR (625)
TT (638)
TV (64)
TW (947)
TZ (238)
UA (252)
UG (920)
UM (89)
US (866)
UY (5)
UZ (546)
VA (467)
VC (116)
VE (308)
VG (769)
VI (730)
VN (279)
VU (983)
WF (460)
WS (170)
XK (303)
YE (700)
YT (433)
ZA (276)
ZM (101)
ZW (393)