Security researchers have discovered an online espionage campaign targeting high profile organisations from around the world with a focus on countries in the Middle East and North Africa.
The researchers said that he attackers represent a previously unknown geopolitically motivated threat actor. Neither Israel nor Iran were mentioned among targets, and while no suggestion was made that one of these might be the source, Iran is currently in dispute with the GCC states in Yemen and has previously hacked Saudi Arabia, thus would be high on any list of suspects based on motivation.
“They most likely have access to additional tools when needed and appear to have access to an elaborate database of contacts in sensitive organisations and personnel worldwide, especially of vulnerable and non-trained staff,” researchers said in a blog post.
They added that victims range from personal desktop or laptop systems to large servers with domain controller roles or similar. The nature of the targeted ministries varied, including those responsible for telecommunications, health, energy, justice, finance and so on, added researchers.
The malware starts communicating with the C&C server by sending basic information about the infected machine. The C&C server then replies with the encrypted serialised configuration.
Researchers said that in order to defend against such attacks, organisations need to pay particular attention to their security, implementing additional measures to ensure they are well protected.
“High-profile organisations should have elevated levels of cyber-security. Attacks against them are inevitable and are unlikely to ever cease,” said researchers.” The victims of Operation Parliament need to re-evaluate their approach to cyber-security.”
Andy Norton, director of threat intelligence at Lastline, told SC Media UK that understanding the phylogeny of malware is a critical piece of cyber-threat acumen. Allowing targets of sophisticated threat actors to react with a tailored incident response, beyond that of standard response which is normally a simple instruction to re-image the system, and which often fails to address the residual risk of a more sophisticated actor.
“Understanding the code sequences that separate the malicious building blocks of code used in intrusions by advanced actors for the purposes of espionage, or destruction or theft of PII data, will enable organisations to apply more appropriate incident response tactics,” he said.
Nicholas Griffin, senior cyber-security specialist at Performanta, told SC Media UK that careful targeting and geopolitical nature of these attacks certainly point towards a nation state group. “The efforts made to blend in with the noise of other attack groups points to a nation state actor trying very hard not to be noticed. We typically see these types of false flag operations by advanced, nation state actors who have a very broad and comprehensive knowledge of other groups' activities,” he said.