An Escalating Cyber-Espionage Campaign In The Middle East

Uploaded on 2020-03-18 in INTELLIGENCE--International, GOVERNMENT-National, FREE TO VIEW

Cyber-attacks in the Middle East are on the rise and the US Dept. of US Homeland Security is warning US companies to “consider and assess” the possible impacts and threat of a cyberattack on their businesses following heightened tensions with Iran.

This is the first official guidance published by the government’s dedicated cyber advisory unit, the Cybersecurity and Infrastructure Security Agency following the assasination of a leading Iranian military commander.

Iran-linked hackers have been running spearphishing email campaigns against governmental organisations in Turkey, Jordan and Iraq in recent months in a likely effort to gather intelligence, according to research published by Dell Secureworks

Most of the targeting, began before the US killing of General Soleimani, the leader of the Iran’s Quds Force, in Baghdad early January.

The alert highlighted that Iranian hackers could be zeroing in on the defense industrial base, government agencies, academia and nongovernmental organisations. The campaign Secureworks’ Counter Threat Unit (CTU) has observed, with activity from mid-2019 to mid-January of 2020, has also targeted intergovernmental organisations and unknown entities in Georgia and Azerbaijan, according to the CTU, which declined to share how many entities, and which ones, have been targeted.

It’s not clear if the activity increase in these apparent espionage operations is in a response to the Soleimani killing or if it is just a natural progression of the campaigns and while lures from this group in the past have been related to intelligence themes, this espionage campaign is more “generic,” according to Secureworks. 

Based on the victims and code similarities, Secureworks assesses the activity to be the work of MuddyWater, an Iranian hacking group that has been known to target Middle Eastern, European, and North American nations.

A New RAT

To execute its attack, MuddyWater has been sending targets malicious Microsoft Excel Spreadsheet files through .zip archives in their spearphishing messages, CTU assesses. In one version of the campaign, the Excel file delivers a Remote Access Trojan (RAT) that has not previously been observed, according to Secureworks.

The RAT, which CTU is dubbing “ForeLord,” uses DNS tunneling so that requests are directed to legitimate DNS servers but then rerouted to malicious servers controlled by the attackers.

The tools MuddyWater appears to be deploying after initial intrusion, such as a variant of the Mimikatz malware, appear to show Iran may be interested in gaining credentials from its targets.

“After gaining initial access to a host, the threat actors dropped several tools to collect credentials, test those credentials on the network, and create a reverse SSL tunnel to provide an additional access channel to the network,” the researchers write.

Cyber-espionage and sabotage are the chief motivations for groups carrying out such attacks, according to the report. Their preferred mode of duping targets is through spear phishing, a practice of sending emails from ostensibly a trusted sender in order to trick them into revealing information.

CyberScoop:       CNBC:      Techcrunch:

You Might Also Read: 

Hamas Hackers Use New Malware:

 


 

« Where Is Iran's Cyber Response To It's General's Assassination?
The Hot Jobs In Cyber Security & How To Get One »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

SecDev

SecDev

SecDev is a consulting firm working at the intersection of geopolitical, digital, urban, energy and cyber risk.

softScheck

softScheck

softScheck is an IT security consultancy. Services range from pentesting and compliance testing to security auditing of software and IT infrastructure.

CERT-UG/CC

CERT-UG/CC

CERT-UG/CC is the national Computer Emergency Response Team for Uganda, operating under the National Information Technology Authority (NITA-U)

Cyber Security Agency of Singapore (CSA)

Cyber Security Agency of Singapore (CSA)

The CSA is the national agency overseeing cybersecurity strategy, operation, education, outreach, and ecosystem development.

Havelsan

Havelsan

HAVELSAN is a leading technology company in Turkey developing indigenous systems for domestic and foreign military, public and private sector clients.

HorizonIQ

HorizonIQ

HorizonIQ (formerly Internap Corp / INAP) maximizes efficiency and innovation with flexible infrastructure solutions.

Vaadata

Vaadata

Vaadata are experts in ethical hacking. We secure your web, mobile and IoT platforms.

Eaton

Eaton

Eaton provides comprehensive cybersecurity services for operational technology (OT) to help keep your operations and personnel safe.

N8 Identity

N8 Identity

N8 Identity helps organizations realize the vision of Autonomous Identity Governance™ with AI-driven Identity solutions.

Cymptom

Cymptom

At Cymptom our purpose is to enable security managers to see at a glance all urgently risky gaps  in their organizations’ security posture at any given moment.

Avetta

Avetta

Avetta One is the industry’s largest Supply Chain Risk Management (SCRM) platform. It enables clients to manage supply chain risks and suppliers to prove the value of their business.

Valeo Networks

Valeo Networks

Valeo Networks is a full-service Managed Security Service Provider (MSSP). We partner with organizations to remove the burden of technology so that they can focus on growing their business.

Protect AI

Protect AI

Protect AI is a cybersecurity company focused on AI & ML systems. Through innovative security products and thought leadership in MLSecOps, we help our customers build a safer AI powered world.

Espria

Espria

Espria is a leading independent managed service provider with expertise in Cloud, IT, Communications and Document Solutions.

One Step Secure IT

One Step Secure IT

One Step provide Managed IT Services, Cybersecurity Protections, and Compliance to businesses in the USA nationwide.

TrustFour

TrustFour

TrustFour is a pioneer in workload and non-human identity security, providing innovative solutions for compliance, remediation, post quantum resiliency, and advanced threat defense.