top of page
  • Writer's pictureAnup Ghosh

Mandiant Warns Iranian Threat Actor Group Targeting Defense and IT Services Firms

The Download

While Chinese hackers have grabbed the headlines, Iranian threat actor group under the monikers Smoke Sandstorm and TortoiseShell, appears to be ratcheting up threats against international defense and IT Services firms as a flank to their regional low intensity conflicts. The group uses spearphishing and watering hole attacks (compromising legitimate websites their targets are likely to visit) to compromise their victims and drop backdoors onto unwitting users' machines.

Google's Mandiant division reports that TortoiseShell is targeting aerospace and defense firms in Israel and UAE to further their strategic interests in the region, and likely to get access to their government clients' systems and data.

What You Can Do

While the report does not call out attacks directly on the US, Iranian threat actors have previously attacked US interests, especially in connection with political events. The primary means of compromise is through spearphishing and watering hole attacks. Staying vigilant on spearphishing attacks is important. In addition, Google released specific indicators of compromise related to the attacks and to MINIBUS malware and its command and control infrastructure that you can hunt in system and network logs.

For more reading:



bottom of page