Complex Made Simple

Threat actors muddy waters in Middle East with APT hijacks and fake leaks in Q2

Middle East cyber warfare was focused on espionage or financial gain, but at least one campaign appears to have been intended to spread disinformation

Kaspersky analyzed in May the online leak of apparent cyber-espionage assets belonging to an Iranian entity, and the actor behind the dump could be Hades Hades is the group behind the OlympicDestroyer incident targeting the 2018 Winter Olympic Games, as well as the ExPetr worm, and various disinformation campaigns Activity in the Middle East saw online leaks of assets such as code, infrastructure, and group details, typically associated to Persian threat actors, OilRig and MuddyWater

By Kaspersky Lab 

Advanced persistent threat (APT) activity in the second three months of 2019 included a number of operations targeting or originating in the Middle East and South Korea. Much of the activity was focused on cyber-espionage or financial gain, but at least one campaign appears to have been intended to spread disinformation. 

In May, Kaspersky researchers analyzed the online leak of apparent cyber-espionage assets belonging to an Iranian entity, and concluded that the actor behind the dump could be Hades, a group also linked to ExPetr and the cyberattack on the 2018 Winter Olympic Games. These and other APT trends across the world are covered in Kaspersky’s latest quarterly threat intelligence summary.

In the second quarter of 2019, Kaspersky researchers observed some interesting activity in the Middle East. 

This included a series of online leaks of assets such as code, infrastructure, group and apparent victim details, allegedly belonging to known Persian-speaking threat actors, OilRig and MuddyWater. The leaks originated from different sources but all appeared within a few weeks of each other. The third online leak, which apparently exposed information related to an entity called the “RANA institute”, was published in Persian on a website named “Hidden Reality”. 

This leak could be connected to the threat actor Hades. Hades is the group behind the OlympicDestroyer incident targeting the 2018 Winter Olympic Games, as well as the ExPetr worm, and various disinformation campaigns like the 2017 leak of emails relating to Emmanuel Macron’s presidential election campaign in France. 

Exclusive: The raging battle between Good and Bad AI in cyber security

Further APT highlights in Q2, 2019 include:

  • Russian-speaking groups continue to consistently refine and release new tools, and to launch new operations. For example, since March, Zebrocy appears to have turned its attention towards Pakistan/India events, officials, and related diplomats and military, as well as maintaining ongoing access to local and remote Central Asian government networks. 
  • Researchers observed an active campaign targeting government bodies in Central Asia by Chinese-speaking APT group SixLittleMonkeys, using a new version of the Microcin Trojan and a RAT that Kaspersky calls HawkEye as a last stager.  

The second quarter of 2019 shows just how clouded and confusing the threat landscape has become, and how often something is not what it seems. Among other things, we saw a threat actor hijacking the infrastructure of a smaller group, and another group possibly capitalizing on a series of online leaks to spread disinformation and undermine the credibility of exposed assets. The security industry faces an ever-growing task to cut through the smoke and mirrors to find the facts and threat intelligence that cybersecurity relies on. As always, it is important to add that that our visibility is not complete, and there will be activity that is not yet on our radar or not fully understood – so protection against both known and unknown threats remains vital for everyone,” said Vicente Diaz, Principal Security Researcher, Global Research and Analysis Team, Kaspersky. 

For more information on the APT trends report for Q2, please contact: [email protected] 

Read: Internet Society’s Online Trust Alliance reports Cyber Incidents cost $45bn in 2018

In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:

  • Provide your SOC team with access to the latest Threat Intelligence, to keep up to date with the new and emerging tools, techniques and tactics used by threat actors and cybercriminals.
  • For endpoint level detection, investigation and timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response.
  • In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform.
  • As many targeted attacks start with phishing or other social engineering technique, introduce security awareness training and teach practical skills, for example through the Kaspersky Automated Security Awareness Platform.