Iran-backed hackers dwelled for 8 months in Mideast government’s system, report says

Siva Ramakrishnan
Hackers connected to Iran’s government spent eight months inside the systems of an unspecified Middle East government, stealing files and emails, according to researchers.

Hackers connected to Iran’s government spent eight months inside the systems of an unspecified Middle East government, stealing files and emails, according to researchers.

Cybersecurity firm Symantec attributed the campaign to a group it calls Crambus but others refer to as APT34, OilRig or MuddyWater.

The intrusion lasted from February to September, and while the researchers declined to name the country targeted, Crambus previously had been tracked Saudi Arabia, Israel, the United Arab Emirates, Iraq, Jordan, Lebanon, Kuwait, Qatar, Albania, the U.S. and Turkey.

Dick O’Brien, principal intelligence analyst on the Symantec Threat Hunter Team, told Recorded Future News that there were several new tools involved in the intrusion, including three new pieces of malware.

“The length of the intrusion is near the upper end of the scale,” he added, noting that the tactics resembled those seen in other attacks.

The research comes as Iran’s influence in the Middle East is under intense scrutiny due to the Israel-Hamas conflict.

In addition to stealing information, the hackers installed tools that allowed them to monitor emails. In total, the intruders compromised 12 computers, but Symantec found evidence of backdoors and keyloggers installed on dozens more devices.

Crambus is known to “stage long-running intrusions for intelligence gathering and spying purposes,” the researchers said.

“In recent years it has added a heavy social engineering component to the early stages of its attacks. It most recently came to attention last year, when Microsoft linked the group to a destructive attack against the Albanian government,” they said. “It assessed that Crambus was involved in gaining initial access and exfiltrating data from impacted networks. Wipers were likely then deployed by other Iran-linked actors.”

The first evidence of an attack appeared on February 1, when the hackers began to take a range of actions on one device. They quickly moved to a second computer after four days and by April, made their way into a third.

A fourth computer was compromised on May 7 and the hackers continued to use new malware to capture keystrokes and steal contents from the operating system’s clipboard.

By August, the hackers had used a tool to scan for vulnerabilities, including the Log4j bug, on other machines on the network. The malicious activity continued until September 9.

“After a 2019 leak of its toolset, there was some speculation that Crambus may disappear. However, its activities over the past two years demonstrate that it represents a continuing threat for organizations in the Middle East and further afield.”

In the last year, cybersecurity firms have identified several campaigns against the governments of Saudi Arabia, Jordan, Israel and more. An Iranian cloud provider was accused of providing infrastructure services to APT34 in August.

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.


Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Eastern European energy and defense firms targeted with MATA backdoor

Next Post

Concerns grow as LockBit knockoffs increasingly target popular vulnerabilities

Related Posts

How a $10B Enterprise Customer Drastically Increased their SaaS Security Posture with 201% ROI by Using SSPM

SaaS applications are the darlings of the software world. They enable work from anywhere, facilitate collaboration, and offer a cost-effective alternative to owning the software outright. At the same time, the very features that make SaaS apps so embraced – access from anywhere and collaboration – can also be exploited by threat actors. Recently, Adaptive Shield commissioned a Total Economic
Omega Balla
Read More

CISA Warning: Akira Ransomware Exploiting Cisco ASA/FTD Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a now-patched security flaw impacting Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software to its Known Exploited Vulnerabilities (KEV) catalog, following reports that it's being likely exploited in Akira ransomware attacks. The vulnerability in question is 
Read More