Operation Parliament malware targets Middle East region

News by Rene Millman

Cyber-espionage campaign targets government agencies, legislative bodies, and large corporates

Security researchers have discovered an online espionage campaign targeting high profile organisations from around the world with a focus on countries in the Middle East and North Africa.

Dubbed “Operation Parliament” by Kaspersky Labs, the campaign has been going since 2017 and targets legislative, executive and judicial organisations in the UAE, Saudi Arabia, Jordan, Palestine, Egypt, Kuwait, Qatar, Iraq, Lebanon, Oman, Djibouti and Somalia.

The researchers said that he attackers represent a previously unknown geopolitically motivated threat actor.  Neither Israel nor Iran were mentioned among targets, and while no suggestion was made that one of these might be the source, Iran is currently in dispute with the GCC states in Yemen and has previously hacked Saudi Arabia, thus would be high on any list of suspects based on motivation.

“They most likely have access to additional tools when needed and appear to have access to an elaborate database of contacts in sensitive organisations and personnel worldwide, especially of vulnerable and non-trained staff,” researchers said in a blog post.

They added that victims range from personal desktop or laptop systems to large servers with domain controller roles or similar. The nature of the targeted ministries varied, including those responsible for telecommunications, health, energy, justice, finance and so on, added researchers.

The malware used in the attacks was first seen packed with VMProtect; when unpacked the sample didn't show any similarities with previously known malware. Strings were  encrypted and obfuscated using  3DES and Base64 encoding. Data sent to the C&C server is also encrypted using 3DES and Base64. Different keys are used for local and network encryption.

The malware starts communicating with the C&C server by sending basic information about the infected machine. The C&C server then replies with the encrypted serialised configuration.

The malware basically provides a remote CMD/PowerShell terminal for the attackers, enabling them to execute scripts/commands and receive the results via HTTP requests.

Researchers said that in order to defend against such attacks, organisations need to pay particular attention to their security, implementing additional measures to ensure they are well protected. 

“High-profile organisations should have elevated levels of cyber-security. Attacks against them are inevitable and are unlikely to ever cease,” said researchers.” The victims of Operation Parliament need to re-evaluate their approach to cyber-security.”

Andy Norton, director of threat intelligence at Lastline, told SC Media UK that understanding the phylogeny of malware is a critical piece of cyber-threat acumen. Allowing targets of sophisticated threat actors to react with a tailored incident response, beyond that of standard response which is normally a simple instruction to re-image the system, and which often fails to address the residual risk of a more sophisticated actor. 

“Understanding the code sequences that separate the malicious building blocks of code used in intrusions by advanced actors for the purposes of espionage, or destruction or theft of PII data, will enable organisations to apply more appropriate incident response tactics,” he said.

Nicholas Griffin, senior cyber-security specialist at Performanta, told SC Media UK that careful targeting and geopolitical nature of these attacks certainly point towards a nation state group. “The efforts made to blend in with the noise of other attack groups points to a nation state actor trying very hard not to be noticed. We typically see these types of false flag operations by advanced, nation state actors who have a very broad and comprehensive knowledge of other groups' activities,” he said.

“The unfortunate truth is that if you are a high value target for an advanced attacker, the chances of them getting into your network is not a question of if, but when. High-profile organisations need to implement several layers of security across each stage of the kill chain, and have a strict security education programme in place for their employees.” 

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews