Sixteen Advanced Persistent Threat (APT) groups have targeted organizations in the Middle East over the past two years with cyberattacks focused on government agencies, manufacturing companies and the energy sector.
According to an analysis published in March, APT perpetrators primarily targeted organizations in Saudi Arabia, the United Arab Emirates, and Israel, and include well-known groups such as Oilrig and Molerats, as well as lesser-known entities such as Bahamut and Hexane. 27 from cybersecurity services company Positive Technologies.
The groups aim to obtain information that gives their state sponsors a political, economic and military advantage, the researchers said. They documented 141 successful attacks that could be attributed to the groups.
“Companies should pay attention to the tactics and techniques used by APT groups attacking the region,” says Yana Avezova, senior cybersecurity analyst at Positive Technologies. “Companies in the Middle East region can understand how these groups typically operate and prepare for certain steps accordingly.”
The cybersecurity firm used its analysis to determine the most popular types of attacks used by APT authors, including phishing for initial login, encryption and camouflage of malicious code, and communication using common level protocols application, such as Internet Relay Chat (IRC) or DNS requests.
Of the 16 APT actors, six groups – including APT 35 and Moses Staff – were linked to Iran, three groups – such as Molerats – were linked to Hamas, and two groups were linked to China. The analysis only covered cyberattacks by groups considered sophisticated and persistent, with Positive Technologies elevating some groups (such as Moses Staff) to APT status, rather than an activist group.
“During research, we came to the conclusion that some of the groups classified as hacktivist by some vendors are not actually hacktivist in nature,” the report statedadding that “after deeper analysis, we concluded that Moses Staff’s attacks are more sophisticated than those of hacktivists and that the group poses a greater threat than hacktivist groups typically do.”
Main initial vectors: Phishing attacks, remote exploitation
The analysis maps the various techniques used by each group in the MITER AT&CK framework to determine the most common tactics used among APT groups operating in the Middle East.
The most common tactics to gain initial access include phishing attacks – used by 11 APT groups – and exploiting vulnerabilities in public-facing applications, used by five groups. Three of the groups also use malware deployed on websites as part of a watering-hole attack that targets visitors in what is also known as a drive-by download attack.
“Most APT groups attack corporate systems with targeted phishing,” the report reads. “Most often these are email campaigns with malicious content. In addition to email, some attackers, such as APT35, Bahamut, Dark Caracal, OilRig, use social networks and messengers for phishing attacks.”
Once inside the network, all but one group collected information about the environment, including the operating system and hardware, while the majority of groups (81%) also enumerated user accounts on the system and collected data of network configuration (69%), according to the report. relationship.
While “living off the land” has become a major concern among cybersecurity professionals, nearly all attackers (94%) downloaded additional attack tools from external networks. Fourteen of the 16 APT groups used application-level protocols, such as IRC or DNS, to facilitate the download, the report said.
Focused on long-term control
APT groups are typically focused on long-term control of infrastructure, becoming active during a “geopolitically crucial moment,” Positive Technologies says in the report. To prevent success, companies should pay attention to their specific tactics, but also focus on strengthening their information and operational technology.
Inventorying and prioritizing resources, using event monitoring and incident response, and training employees to be more aware of cybersecurity issues are all critical steps for long-term security, Avezova says by Positive Technologies.
“In short, it is important to adhere to the key principles of results-oriented cybersecurity,” he says, adding that “the first steps to take are to counter the most commonly used attack techniques.”
Of the 16 groups, the majority targeted organizations in six different Middle Eastern nations: 14 targeted Saudi Arabia; 12 the United Arab Emirates; 10 Israel; nine Jordan; and eight each targeted Egypt and Kuwait.
While government, manufacturing and energy were the most commonly targeted sectors, mass media and the military-industrial complex were increasingly common targets, the company said in the report.
With the growing attack on critical sectors, organizations should consider cybersecurity as a key initiative, the report says.
“[T]the primary objective [should be] eliminating the possibility of intolerable events – events that prevent an organization from achieving its operational or strategic objectives or that lead to a significant disruption to its core business following a cyber attack,” the company said in the report. “These events are defined by the organization’s top management and lay the foundation for a cybersecurity strategy.”