The cyber espionage group Subtle Snail just went public. So far, they have successfully injected firmware into 34 devices across 11 different telecoms and 4 continents. This Iran-affiliated group has been operating since at least June 2022. Referred to as UNC1549, TA455, Boggy Serpens, and Mango Sandstorm, it is widely reported to act on behalf of the Iranian regime’s Islamic Revolutionary Guard Corps (IRGC). The group’s campaign has focused particularly on telco companies operating in Europe, though the group has taken an interest in aerospace and defense companies.
Subtle Snail’s consulting and concepts are used in the UK, US, Canada, France and UAE. The firm is committed to better serving clients in these strategic hubs. They use very advanced techniques to obfuscate what they’re doing. This means utilizing criminally-operated mangled Azure cloud services and Virtual Private Servers (VPSes) as proxy infrastructure. Adopting this approach enables them the cover to fly below the radar while furthering their cyber espionage goals.
Targeted Approach and Techniques
Subtle Snail’s campaign is a long but gentle and careful process, as the artist approaches each would-be victim. Their operations include using sophisticated malware tools for penetration into networks and data exfiltration. As the members’ most powerful tools go, theirs is an impressive arsenal. BugSleep, another Python-based backdoor, provides command execution and file transfer capabilities. LiteInject Portable executable injector StealthCache Highly adaptable VB backdoor able to read and write files, kill itself, fingerprint security processes on the system, and steal credentials.
The collective employs Fooder, a loader that decrypts and executes encrypted payloads in memory. These precision tools allow Subtle Snail to ensure long-term access to highly valuable and connected networks, all while collecting intelligence key to conducting strategic, state-sponsored, espionage.
“The group’s primary motivation involves infiltrating telecommunications entities while maintaining interest in aerospace and defense organizations to establish long-term persistence and exfiltrate sensitive data for strategic espionage purposes,” – PRODAFT
The group’s broader tactics involve changing harmless DLL files to enable side-loading attacks. By replacing function names with static string variables they can easily avoid detection mechanisms. This circumvention is used to make harmful files look benign and in turn perform operations that are in fact harmful.
“Legitimate DLL files are modified to facilitate a seamless execution of a DLL side-loading attack,” – PRODAFT
Phishing and Social Engineering Tactics
Subtle Snail’s infection methods are primarily phishing-based which can be more effective, as previously discussed. The group often impersonates human resources contacts from real companies to recruit employees inside targeted companies. This covert social engineering tactic enables them to get a foothold in enterprise networks.
Once they’ve established contact, they use a MINIBIKE backdoor variant to exfiltrate data. This variant uses Azure cloud services to communicate with command-and-control (C2) infrastructure. Concealing their ownership enables them to do so without fear of accountability, and with it, the continued secret nature of their operations.
“The group operates by posing as HR representatives from legitimate entities to engage employees, then compromises them through deployment of a MINIBIKE backdoor variant that communicates with command-and-control (C2) infrastructure proxied through Azure cloud services,” – PRODAFT
Our recent analyses have shown that Subtle Snail is still taking advantage of malicious documents (maldocs) with built-in macros to achieve infection. To host their malicious assets, they leverage Amazon Web Services (AWS). At the same time, Cloudflare services provide them the cover they need to hide their bad acts.
“Recent activity shows that they still rely on phishing for delivery, leveraging maldocs with malicious macros for infection,” – Mansour Alhmoud
Overlaps with Other Iranian Hacking Groups
Subtle Snail exhibits overlaps with two other Iranian hacking groups: Smoke Sandstorm and Crimson Sandstorm (also known as Imperial Kitten, TA456, Tortoiseshell, and Yellow Liderc). This connection points to a wider operational ecosystem in which these groups exchange and democratize tools, techniques, and even personnel.
The joint warning from these groups is a good indicator of the seriousness and magnitude of the cyber threat from Iranian-linked hackers. Subtle Snail and its allied organizations carry tremendous collective impact. They radically expand the potential liabilities for companies in essential industries such as telecommunication.
“They use predefined paths to guide their searches and focus on stealing emails, VPN configurations, and other information that helps them maintain control,” – PRODAFT
The impact of Subtle Snails’ actions is further felt beyond surging financial loss. Their operations could cause severe damage to national security interests and critical infrastructure stability through intelligence gathering and long-term access to telecommunications networks.
“Subtle Snail’s operations cause serious damage by combining intelligence gathering with long-term access to critical telecommunications networks,” – PRODAFT