Middle eastern hackers are training with Europeans, says new report

Are hacking groups from the Middle-East and Eastern Europe coming together? That's the conclusion of a new report by cyber-security company, Norse.

Norse claims that though it can't disclose many of its methods and sources due to safety concerns, it has identified three cases where Eastern European hacker groups are exchanging training and help with counterparts in the middle-east. Norse describes the phenomenon: “This trend is not just your average script kiddy begging for N-day exploit proverbial scraps”, rather, says Norse, “it's an established pattern of direct and continuous contact between Middle Eastern hackers travelling to Europe to obtain training and experience, then either staying or returning home to begin politically-motivated attacks on global targets.”

In the first instance, Norse has found Iran's Ashiyane Digital Security Team (ADST) and the Romanian Security Team (RST) to be collaborating.  The ADST, Norse told SCMagazineUK.com, is one of the more sophisticated hacking groups around "whose agenda has been to protect Iran from social media attacks." It has also been publicly linked to working with the Iranian government. The RST however, seems to have more of a financial motive and is quite likely to sell training, tools or techniques to whoever paid them.  

Apparently the two groups have been exchanging target and exploit data, via their forums. Norse first found a list of compromised Simple Message Text (SMTP) systems on the RST forum. Six months later, the ADST forums posted that same list, which were identified as being used in various malicious attacks.

The second case involves the infamous Middle East Cyber Army (MECA), a group with links to other groups like #OpIsrael and Anonymous and thought to be  behind the hacking of 3,500 websites this year. The group was laid low by Bulgarian security services in July, after they found a 21 year old Syrian national working for the group inside the country. In his apartment, they found several suspect items including specialised hacking tools. Norse notes: “The question remains as to who may have been training this person.”

The final case that Norse found is well known. #OpNimr is part of a campaign by Anonymous, to seek revenge for Ali Mohammed Al-Nimr. Ali was a young Saudi national, arrested by the government when he was only 17. He was then tortured; forced to sign a confession; and then sentenced to death. The international community has received this news with outrage, and Anonymous has taken it up as a cause. 

But why this collaboration between groups who have seemingly little to do with each other? Norse told SC that "The motives do not necessarily need to be the same for there to be a common ground. Worldwide groups like Anonymous who have a large footprint in Europe may be happy to aid in geo-political activities within the Middle East which will disrupt, degrade or deny access to the local government in their fight for what they consider justice."

Norse added that, in terms of wider geopolitics, "This implies that smaller, less tech-savvy groups, may be able to use funding to gain knowledge, experience and cyber-weapons from more developed groups in Europe. This of course poses a significant threat to large corporations and governments being targeted by these politically motivated Middle Eastern groups, who with the proper funding, are now able to grow in size and capabilities beyond taking down websites for a few hours." 

In the worst cases "these capabilities fall into the hands of terrorists who have malicious intent and very little to lose."