Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa.

Government, manufacturing, and the energy industry are the top targets of advanced, persistent threat actors, with phishing attacks and remote exploits the most common vectors.

4 Min Read
Map of the Middle East in electric green
Source: Panther Media via Alamy Stock Photo

Sixteen advanced persistent threat (APT) groups targeted organizations in the Middle East over the past two years with cyberattacks focused on government agencies, manufacturing companies, and the energy industry.

The APT actors have mostly targeted organizations in Saudi Arabia, the United Arab Emirates, and Israel and include well-known groups such as Oilrig and Molerats, as well as lesser-known entities such as Bahamut and Hexane, according to an analysis published on March 27 by cybersecurity services firm Positive Technologies.

The groups aim to obtain information that puts their state sponsors at a political, economic, and military advantage, the researchers said. They documented 141 successful attacks that could be attributed to the groups.

"Companies should pay attention to what tactics and techniques which APT groups attacking the region are using," says Yana Avezova, a senior information security analyst at Positive Technologies. "Companies in the Middle East region can understand how these groups typically operate and prepare for certain steps accordingly."

The cybersecurity firm used its analysis to determine the most popular types of attacks used by the APT actors, including phishing for initial access, encrypting and camouflaging their malicious code, and communicating using common application-layer protocols, such as Internet Relay Chat (IRC) or DNS requests.

Of the 16 APT actors, six groups — including APT 35 and Moses Staff — were linked to Iran, three groups — such as Molerats — were linked to Hamas, and two groups were linked to China. The analysis only covered cyberattacks by groups considered both sophisticated and persistent, with Positive Technologies elevating some groups (such as Moses Staff) to APT status, rather than as a hactivist group.

"During the research, we came to the conclusion that some of the groups categorized as hacktivists by certain vendors are not actually hacktivist in nature," the report stated, adding that "after a more in-depth analysis, we reached the conclusion that Moses Staff attacks are more sophisticated than hacktivist ones, and the group poses a greater threat than hacktivist groups typically do."

Top Initial Vectors: Phishing Attacks, Remote Exploitation

The analysis maps the various techniques used by each group to the MITRE AT&CK Framework to determine the most common tactics used among the APT groups operating in the Middle East.

The most common tactics to gain initial access include phishing attacks — used by 11 APT groups — and exploiting vulnerabilities in public-facing applications, which was used by five groups. Three of the groups also use malware deployed to websites as part of a watering-hole attack targeting visitors in what is also known as a drive-by download attack.

"Most APT groups initiate attacks on corporate systems with targeted phishing," the report stated. "Most often, this involves email campaigns with malicious content. Besides email, some attackers — such as APT35, Bahamut, Dark Caracal, OilRig — use social networks and messengers for phishing attacks."

Once inside the network, all but one group gathered information on the environment, including the operating system and hardware, while most groups (81%) also enumerated the user accounts on the system and collected network configuration data (69%), according to the report.

While "living off the land" has become a major concern among cybersecurity professionals, nearly all the attackers (94%) downloaded additional attack tools from external networks. Fourteen of the 16 APT groups used application-layer protocols — such as IRC or DNS — to facilitate the download, the report stated.

Focused on Long-Term Control

The APT groups are typically focused on long-term control of infrastructure, becoming active during a "geopolitically crucial moment," Positive Technologies stated in the report. To prevent their success, companies should look out for their specific tactics, but also focus on hardening their information and operational technology.

The inventory and prioritization of assets, using event monitoring and incident response, and training employees to be more aware of cybersecurity issues are all critical steps for long-term security, says Positive Technologies' Avezova.

"In short, it is important to adhere to the key principles of result-driven cybersecurity," she says, adding that "the first steps to take are to counter the most commonly used attack techniques."

Out of the 16 groups, the majority targeted organizations in six different Middle Eastern nations: 14 targeted Saudi Arabia; 12 the UAE; 10 Israel; nine Jordan; and eight each targeted Egypt and Kuwait.

While government, manufacturing, and energy were the most commonly targeted sectors, mass media and the military-industrial complex are increasingly common victim targets, the company stated in the report.

With the increasing targeting of critical industries, organizations should treat cybersecurity as a critical initiative, the report stated.

"[T]he primary goal [should be] eliminating the possibility of non-tolerable events — events that prevent an organization from achieving its operational or strategic goals or lead to significant disruption of its core business as a result of a cyberattack," the company stated in the report. "These events are defined by the organization's top management and lay the foundation for a cybersecurity strategy."

About the Author(s)

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights