Groups in the Middle East and North Africa (MENA) region are becoming increasingly skilled at launching cyber-attacks, stealing sensitive data and adopting cyber-crime tactics, according to research released by two security firms.
One group, dubbed Arid Viper by Trend Micro, used spearphishing, pornography and leased servers to conduct espionage attacks against Israeli targets, the company said in a report published on Feb. 16. A second group, also discovered by Trend Micro, appeared to be searching for images on infected PCs as part of a blackmail scheme. In a separate effort, researchers at BAE Systems tracked attacks by a pro-Iranian group that used more than 40 programs and five malware families in their operations.
While the barriers to creating a reasonably sophisticated cyber-capability are lower than ever, the recent activity shows that tactics for cyber-operations are evolving, Tom Kellerman, chief cyber-security officer with Trend Micro, told eWEEK.
"I wouldn't call it very elegant," he said. "I would say that it is a harbinger of increased sophistication by the non-state actor groups in the region."
Cyber-attacks from groups and nations in the Middle East have increased dramatically in the past three years. While groups such as the Syrian Electronic Army and the Izz ad-Din al-Qassam Cyber Fighters led the way by conducting defacements and denial-of-service attacks, they have now been joined by other groups focused on cyber-crime or espionage. Recently, extremists have also taken to the Internet, hacking media and corporate social media accounts.
In the case of Arid Viper, an independent political group likely carried out the attacks, but may have had cooperation from a nation in the region, because the group had detailed knowledge of high-priority targets—Israelis with some connection to the military or defense industries, Kellerman said. The attacks began in mid-2013 and continued until late 2014.
The group behind Arid Viper sent email messages to targeted people with attachments that contained hidden malware. If the victim opened the attachment, their system would be infected while a short pornographic clip would play. While such a tactic is unusual—more typically, malware is directly attached to such a video—Trend Micro researchers posit that victims may be too embarrassed to call tech support, hindering any response to the compromise.
The malware then communicates to the command-and-control servers and searches the hard disk for Office documents and text files. The C&C server then designates which files are considered interesting to the attackers, and those files are uploaded to the server as a text file.
"A single execution allows the malware client to steal documents from the infected systems," the report stated.
Another interesting aspect to the operation is that the attackers used leased command-and-control infrastructure based in Germany. Researchers at Trend Micro found that that servers that received the stolen data were also used by other cyber-criminal campaigns that otherwise looked unrelated.
The firm gathered information on at least one other campaign, which had spread malware that searched the hard drives of infected systems for images, ostensibly to uncover embarrassing pictures that could be used to extort the victims, the firm posited.
In a separate investigation, Adrian Nish, a researcher at BAE Systems, found that a U.K. engineering firm had been compromised by attackers with links to Iran. In a presentation given at Kaspersky Lab's Security Analyst Summit, Nish said that attackers are using more complex tactics and "there's offensive cyber-companies and local malware authoring now," according to a report in Kaspersky Lab's news service Threatpost.