An Escalating Cyber-Espionage Campaign In The Middle East

Uploaded on 2020-03-18 in INTELLIGENCE--International, GOVERNMENT-National, FREE TO VIEW

Cyber-attacks in the Middle East are on the rise and the US Dept. of US Homeland Security is warning US companies to “consider and assess” the possible impacts and threat of a cyberattack on their businesses following heightened tensions with Iran.

This is the first official guidance published by the government’s dedicated cyber advisory unit, the Cybersecurity and Infrastructure Security Agency following the assasination of a leading Iranian military commander.

Iran-linked hackers have been running spearphishing email campaigns against governmental organisations in Turkey, Jordan and Iraq in recent months in a likely effort to gather intelligence, according to research published by Dell Secureworks

Most of the targeting, began before the US killing of General Soleimani, the leader of the Iran’s Quds Force, in Baghdad early January.

The alert highlighted that Iranian hackers could be zeroing in on the defense industrial base, government agencies, academia and nongovernmental organisations. The campaign Secureworks’ Counter Threat Unit (CTU) has observed, with activity from mid-2019 to mid-January of 2020, has also targeted intergovernmental organisations and unknown entities in Georgia and Azerbaijan, according to the CTU, which declined to share how many entities, and which ones, have been targeted.

It’s not clear if the activity increase in these apparent espionage operations is in a response to the Soleimani killing or if it is just a natural progression of the campaigns and while lures from this group in the past have been related to intelligence themes, this espionage campaign is more “generic,” according to Secureworks. 

Based on the victims and code similarities, Secureworks assesses the activity to be the work of MuddyWater, an Iranian hacking group that has been known to target Middle Eastern, European, and North American nations.

A New RAT

To execute its attack, MuddyWater has been sending targets malicious Microsoft Excel Spreadsheet files through .zip archives in their spearphishing messages, CTU assesses. In one version of the campaign, the Excel file delivers a Remote Access Trojan (RAT) that has not previously been observed, according to Secureworks.

The RAT, which CTU is dubbing “ForeLord,” uses DNS tunneling so that requests are directed to legitimate DNS servers but then rerouted to malicious servers controlled by the attackers.

The tools MuddyWater appears to be deploying after initial intrusion, such as a variant of the Mimikatz malware, appear to show Iran may be interested in gaining credentials from its targets.

“After gaining initial access to a host, the threat actors dropped several tools to collect credentials, test those credentials on the network, and create a reverse SSL tunnel to provide an additional access channel to the network,” the researchers write.

Cyber-espionage and sabotage are the chief motivations for groups carrying out such attacks, according to the report. Their preferred mode of duping targets is through spear phishing, a practice of sending emails from ostensibly a trusted sender in order to trick them into revealing information.

CyberScoop:       CNBC:      Techcrunch:

You Might Also Read: 

Hamas Hackers Use New Malware:

 


 

« Where Is Iran's Cyber Response To It's General's Assassination?
The Hot Jobs In Cyber Security & How To Get One »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

CyberSecurityJobsite.com

CyberSecurityJobsite.com

CyberSecurityJobsite.com is a specialist job board designed to attract candidates working within Cyber Security, Information Security or Information Assurance.

AVR International

AVR International

AVR educate, advise, analyse and provide professional, technical consultancy and support to ensure your business is safe, compliant and protected.

Advantech

Advantech

Advantech is a leader in providing trusted innovative embedded and automation products and solutions. Activities include IoT security.

Bechtel

Bechtel

Bechtel’s Industrial Control Systems Cyber Security Laboratory focuses on protecting large-scale industrial and infrastructure systems that support critical infrastructure.

Cyber Threat Defense (CT Defense)

Cyber Threat Defense (CT Defense)

CT Defense specialize in penetration testing and security assessments.

Emagined Security

Emagined Security

Emagined Security is a leading provider of professional services for Information Security and Compliance solutions.

Alias Robotics

Alias Robotics

Alias Robotics is a robot cyber security company. We deliver cyber security solutions for robots and robot components.

usecure

usecure

usecure is a global provider of computer-based cyber security awareness training, offering the market’s most time-efficient, cost-effective and admin-lite solution for reducing insider threats.

Center for Information Technology Policy (CITP) - Princeton University

Center for Information Technology Policy (CITP) - Princeton University

The Center for Information Technology Policy at Princeton University is a nexus of expertise in technology, engineering, public policy, and the social sciences.

blueAllianceIT

blueAllianceIT

blueAlliance IT is an investment and growth platform that unites local MSP and IT companies around the nation, helping them to grow and operate competitively.

Eunetic

Eunetic

Eunetic IT security solutions - we secure your websites, emails, domains and data.

LayerX Security

LayerX Security

LayerX's user-first browser security platform turns any browser into the most protected & manageable workspace, by providing real-time monitoring and governance over users’ activities on the web.

Cyberplc

Cyberplc

Cyberplc is a global cybersecurity consulting firm providing services to government, the public sector and enterprises.

Vali Cyber

Vali Cyber

Vali Cyber was founded in 2020 with the mission of addressing the specific cybersecurity needs of Linux.

Bit Sentinel

Bit Sentinel

Bit Sentinel is an information security company. We help companies like yours discover, prioritize, and effectively remediate potential cybersecurity risks.

DHCO IT

DHCO IT

The DHCO IT team are experts in IT support, cyber security, cloud support and disaster recovery, and are Microsoft 365 partners.