Iran intensifies cyber espionage in Middle East

6 min read
Iran has ramped up its cyber-espionage activities across the world in general and in the Middle East in particular.
  • Iranian espionage targeted aerospace and telecommunications companies in the Middle East, the US, Russia, and Europe
  • Cybereason identified 10 companies impacted during their three-month investigation

Cyberattacks by Iranian spies have become more sophisticated and have intensified not only against the GCC but also against other Arab countries, Europe, the United States, and Russia, say industry experts.

A report released by the US Department of State last year identified Iran as a prominent threat actor in cyberspace.

According to the report, the country uses spying and other cyber activities to influence global events and threaten the security of other countries, in addition to preventing secure access to an open and interoperable Internet.

Despite Tehran’s denials of malicious cyber activity, there appears to be clear evidence of the regime’s participation in cyberspace, the most recent of which is Cybereason’s threat intelligence report dubbed Operation GhostShell that unmasks a never-before-known highly targeted Iranian cyber-espionage operation targeting aerospace and telecommunications companies across the Middle East, the US, Russia, and Europe.

The report of the cybersecurity technology company, founded in 2012 and headquartered in Boston, identifies a newly discovered Iranian threat actor, named MalKamak, behind the attacks. It is said to have been operating since 2018 and has remained unknown until recently.

In addition, the report revealed a very sophisticated and previously undiscovered Remote Access Trojan (RAT) dubbed ShellClient that evades antivirus tools and other security apparatus and abuses the public cloud service Dropbox for command and control (C2).

Cybereason’s investigation reveals possible connections to several Iranian state-sponsored threat actors, including Chafer APT (APT39) and Agrius APT.

How was the attack carried out?

Speaking to TRENDS, Senior Director and Head of Threat Research at Cybereason, Assaf Dahan, said: “There are very few samples of the ShellClient malware discovered by Cybereason in the wild — we’re talking about less than seven to eight samples in the three years of activity.

“This demonstrates how careful the MalKamak threat group was to make sure it was not detected. The threat actors created Dropbox accounts and used them for command-and-control purposes.”

They didn’t exploit any Dropbox vulnerability, he said, adding that this is a very clever way to hide in plain sight since Dropbox is a trusted brand, and traffic to a legitimate site usually will not raise suspicions of certain security products and analysts.

In addition, the authors implemented a kill function to instruct the malware to delete itself if its operators believed their operation was in jeopardy.

Dahan added that Cybereason identified 10 companies impacted during their three-month investigation, but declined to name the victim companies due to regional sensitivities.

“The MalKamak threat group appears to be targeting Middle-Eastern aerospace and telecommunications companies. However, as we dug into the investigation, we discovered victims in the US, Europe, and Russia as well,” he said, adding that MalKamak threat actors took business-critical assets from the impacted firms, and that the threat is still active.

Disastrous consequences

Another cyber expert, Coordinates Middle East CEO Tarek Ghoul, told TRENDS that cyberattacks may likely be the most serious threat to humanity right now because, unlike nuclear weapons, they constantly detonate and cause substantial damage.

“Cyberattacks wreak havoc on hospitals; they halt transportation, shut down electrical systems, steal businesses, and bring entire countries’ key national infrastructure to a halt,” said the CEO of one of the leading cyber defense firms in the region.

When threat actors go undetected for more than three years, the consequences are disastrous for businesses. They steal confidential information as well as a variety of business-critical assets. This has a significant impact on each afflicted business.

“If Cybereason weren’t brought in to investigate a suspicious activity in July 2021, MalKamak would still be operating in stealth mode,” Dahan said.

He added: “One of the reasons Cybereason went public with the findings was to raise awareness for this threat. Overall, we recommend that security practitioners, specifically those working for aerospace/telecoms companies, study our report carefully. In addition, we provided the IOCs (indicators of compromise) and highly contextualized behavioral data that can be used to detect sophisticated attacks and evasive threat actors in the future.”

How can companies and governments protect themselves?

No company is immune to cyberattacks. According to Dahan, the public and private sectors need to invest in ratcheting up prevention and detection and improving cyber resilience.

“The companies should fight fire with fire,” Dahan said, adding: “A threat actor might get in, but so what? We can slow them down and limit what they see. We can ensure fast detection and ejection and make material breaches outdated. We can keep them out of the castle by planning and being smart ahead of time and setting up the right defenses.”

In addition, governments are developing counter-cyberterrorism capabilities to combat these threats. Those programs’ complexities and effectiveness are constantly tested.

“While large government entities and enterprises may have the finances, capabilities, skills, tools, and processes to establish successful cyber protection programs, other entities are at risk,” said Ghoul.

“Those entities are not just a hazard to themselves, but also to the ecosystem in which they live.”

He added: “When it comes to societal cyber resilience, there are two overarching strategies at work.”

The first is democratizing cyber defense means so that all entities, regardless of size, maturity level, or budget, can afford and adopt defense-grade cybersecurity capabilities.

The second is governments’ active role in drafting laws, enforcing policies, and mandating cyber-defense capabilities as a foundation to their digital economy.

Iran’s goal

The World Economic Forum (WEF) states that cyberattacks are the most significant concern of doing business in the US and the U.K.  In the same report, the WEF places cyberattacks as the third-most serious concern for the UAE, just behind energy price shock and asset bubble.

Cyberattacks’ frequencies and sophistication are on the rise. In conjunction with the Cybereason report, Microsoft also announced last week that hackers suspected of having ties to Iran had successfully targeted defense technology companies in the United States, Israel, and Gulf ports.

Microsoft stated that activities of the group, codenamed DEV-0343, appear to align with Iranian interests and that it is working to improve its technologies. It also noted that the cyberattack was discovered in July 2021 and that it notified the targeted companies, but did not reveal their identities.

According to Microsoft, Iran’s targeting of military-technology businesses assists the Iranian government’s tracking of hostile security services and shipping in the Middle East, as it gives them “access to commercial satellite imagery and private shipping plans and records.”

Dahan, for one, said the Iranian targeting is no different from that of any other government with significant cyber capabilities. They engage in cyber warfare for various reasons and goals, and there have been reports of more devastating attacks, as well as those that seemed to focus more on cyber espionage.

“Some groups have engaged in both,” he explained, “But our current assessment is that MalKamak focuses on cyber espionage rather than harmful attacks.”