Believed to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS), this group has been actively infiltrating high-priority networks across the Middle East, including government and telecommunications sectors.
The report, titled “UNC1860 and the Temple of Oats,” reveals the group’s sophisticated tools and passive backdoors used to maintain long-term access to compromised networks. Mandiant describes UNC1860 as an “initial access provider” for destructive operations by other Iranian-linked cyber units. This approach mirrors methods used by other groups like Shrouded Snooper and Scarred Manticore.
Iran’s Cyber Army: A Force of Disinformation for a Cursed Causehttps://t.co/S3LusEN4HB
— NCRI-FAC (@iran_policy) April 26, 2023
Though UNC1860’s direct involvement in major attacks, such as the 2023 Israel wiper attack and the 2022 ROADSWEEP attacks in Albania, cannot be confirmed, the report highlights the group’s likely role in providing early access. Their specialized malware controllers, TEMPLEPLAY and VIROGREEN, enable remote control of infected systems.
UNC1860’s toolkit includes advanced capabilities like reverse engineering Windows components and exploiting vulnerabilities, making it difficult for security measures to detect them. A repurposed driver from Iranian antivirus software reflects their expertise in manipulating Windows kernel systems, allowing them to stealthily monitor and control compromised networks.
Both have targeted entities in Iraq, Saudi Arabia, and Qatar. UNC1860 uses compromised systems to further exploit other networks, posing a persistent threat. Mandiant’s findings emphasize the growing capabilities of Iranian cyber actors in espionage and sabotage across the Middle East, with their prolonged access to critical networks posing significant security risks.
