An Escalating Cyber-Espionage Campaign In The Middle East

Uploaded on 2020-03-18 in INTELLIGENCE--International, GOVERNMENT-National, FREE TO VIEW

Cyber-attacks in the Middle East are on the rise and the US Dept. of US Homeland Security is warning US companies to “consider and assess” the possible impacts and threat of a cyberattack on their businesses following heightened tensions with Iran.

This is the first official guidance published by the government’s dedicated cyber advisory unit, the Cybersecurity and Infrastructure Security Agency following the assasination of a leading Iranian military commander.

Iran-linked hackers have been running spearphishing email campaigns against governmental organisations in Turkey, Jordan and Iraq in recent months in a likely effort to gather intelligence, according to research published by Dell Secureworks

Most of the targeting, began before the US killing of General Soleimani, the leader of the Iran’s Quds Force, in Baghdad early January.

The alert highlighted that Iranian hackers could be zeroing in on the defense industrial base, government agencies, academia and nongovernmental organisations. The campaign Secureworks’ Counter Threat Unit (CTU) has observed, with activity from mid-2019 to mid-January of 2020, has also targeted intergovernmental organisations and unknown entities in Georgia and Azerbaijan, according to the CTU, which declined to share how many entities, and which ones, have been targeted.

It’s not clear if the activity increase in these apparent espionage operations is in a response to the Soleimani killing or if it is just a natural progression of the campaigns and while lures from this group in the past have been related to intelligence themes, this espionage campaign is more “generic,” according to Secureworks. 

Based on the victims and code similarities, Secureworks assesses the activity to be the work of MuddyWater, an Iranian hacking group that has been known to target Middle Eastern, European, and North American nations.

A New RAT

To execute its attack, MuddyWater has been sending targets malicious Microsoft Excel Spreadsheet files through .zip archives in their spearphishing messages, CTU assesses. In one version of the campaign, the Excel file delivers a Remote Access Trojan (RAT) that has not previously been observed, according to Secureworks.

The RAT, which CTU is dubbing “ForeLord,” uses DNS tunneling so that requests are directed to legitimate DNS servers but then rerouted to malicious servers controlled by the attackers.

The tools MuddyWater appears to be deploying after initial intrusion, such as a variant of the Mimikatz malware, appear to show Iran may be interested in gaining credentials from its targets.

“After gaining initial access to a host, the threat actors dropped several tools to collect credentials, test those credentials on the network, and create a reverse SSL tunnel to provide an additional access channel to the network,” the researchers write.

Cyber-espionage and sabotage are the chief motivations for groups carrying out such attacks, according to the report. Their preferred mode of duping targets is through spear phishing, a practice of sending emails from ostensibly a trusted sender in order to trick them into revealing information.

CyberScoop:       CNBC:      Techcrunch:

You Might Also Read: 

Hamas Hackers Use New Malware:

 


 

« Where Is Iran's Cyber Response To It's General's Assassination?
The Hot Jobs In Cyber Security & How To Get One »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Pondurance

Pondurance

Pondurance is an IT Security and Compliance company providing services in Cyber Security, Continuity, Compliance and Threat Management.

RCMP Cybercrime Strategy

RCMP Cybercrime Strategy

The RCMP Cybercrime Strategy sets out in an Operational Framework and Action Plan to combat cybercrime.

Vaulto Technologies

Vaulto Technologies

Vaulto protects critical business processes that are conducted via the cellular network.

Sapien Cyber

Sapien Cyber

Sapien Cyber is an Australian company bringing leading-edge cyber security and threat intelligence solutions.

Ravelin Technology

Ravelin Technology

Ravelin prevents chargebacks, fraud, and account takeover. Machine learning and human insight combine for highly accurate fraud detection and prevention.

ABS Group

ABS Group

ABS Group provides risk and reliability solutions and technical services that help clients confirm the safety, integrity and security of critical assets and operations.

ChainSecurity

ChainSecurity

ChainSecurity provides products and services for securing smart contracts and blockchain protocols and conducts R&D in the areas of security, program analysis, and machine learning.

Intercast Global

Intercast Global

Intercast's mission is to be a strategic resource to our clients in Risk Reduction. We are a global leader in cyber security staffing and consulting to the enterprise.

Cyway

Cyway

Cyway is a value-added cybersecurity distributor focusing on on-prem, cloud solutions and hybrid solutions, IoT, AI & machine learning IT security technologies.

CybrHawk

CybrHawk

CybrHawk is a leading provider of information security-driven risk intelligence solutions focused solely on protecting clients from cyber-attacks.

VanishID

VanishID

VanishID (formerly Picnic) is a gritty, pioneering team of intelligence and cybersecurity specialists focused on solving the security challenge of our time - social engineering.

Technivorus Technology

Technivorus Technology

Technivorus is a deep-tech firm delivering customized Cybersecurity, Digital Marketing, Web & App Development, and multifarious IT services for businesses across the globe.

Josef Ressel Centre for Intelligent & Secure Industrial Automation

Josef Ressel Centre for Intelligent & Secure Industrial Automation

The Josef Ressel Centre for Intelligent and Secure Industrial Automation investigates the fundamentals of digital assistants for industrial machines that enable intelligent and secure operation.

Security4Media

Security4Media

Security4Media is a non-profit association set up to reduce risks and support trust in media, in the face of increasing cybersecurity threat levels.

JustunSecure

JustunSecure

JustunSecure is dedicated to promoting information technology and cybersecurity in Africa.

Convergint

Convergint

Convergint is a service-based systems integrator working alongside a global network of partners and manufacturers to deliver a range of solutions including cybersecurity.