Iran-linked hackers increasingly spy on governments in Gulf region, researchers say

Siva Ramakrishnan
An Iran-linked cyberespionage group has stepped up its attacks in recent months against government agencies in the United Arab Emirates (UAE) and the broader Gulf region, according to a new report.

An Iran-linked cyberespionage group has stepped up its attacks in recent months against government agencies in the United Arab Emirates (UAE) and the broader Gulf region, according to a new report.

APT34, also known as Earth Simnavaz and OilRig, is believed to be an Iranian state-sponsored threat actor primarily targeting organizations in the Middle East, especially those in the oil and gas industries.

The hackers’ recent escalation in activity underscores their “ongoing commitment” to exploiting vulnerabilities within critical infrastructure and government networks in geopolitically sensitive areas, said researchers at the cybersecurity firm Trend Micro in a report released last week.

In their latest attacks, APT34 deployed a sophisticated new backdoor named Stealthook to exfiltrate sensitive credentials, including accounts and passwords, through on-premise Microsoft Exchange servers to those controlled by the attackers as email attachments.

The group is known for using compromised organizations to conduct supply chain attacks on other government entities, the researchers said. “We expect that the threat actor could use the stolen accounts to initiate new attacks through phishing against additional targets,” they added.

The group has also recently exploited the Windows CVE-2024-30088 flaw to escalate their privileges in targeted systems. This demonstrates APT34’s “continuous adaptation” by exploiting newer vulnerabilities to make their attacks stealthier and more effective, Trend Micro said.

The researchers warned that government organizations in the Middle East and Gulf region should take the threats from this group “seriously” and improve their defensive measures, because it uses tools to blend malicious activity with normal network traffic and avoid traditional detection methods.

CybercrimeGovernmentNewsNews Briefs
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.

 

Total
0
Shares
Previous Post

Ukraine police arrest hacker for operating illegal VPN service to access sanctioned Russian sites

Next Post

Recently-patched Firefox bug exploited against Tor browser users

Related Posts

DslogdRAT Malware Deployed via Ivanti ICS Zero-Day CVE-2025-0282 in Japan Attacks

Cybersecurity researchers are warning about a new malware called DslogdRAT that's installed following the exploitation of a now-patched security flaw in Ivanti Connect Secure (ICS). The malware, along with a web shell, were "installed by exploiting a zero-day vulnerability at that time, CVE-2025-0282, during attacks against organizations in Japan around December 2024," JPCERT/CC researcher Yuma
Avatar
Read More

Google Rolls Out On-Device AI Protections to Detect Scams in Chrome and Android

Google on Thursday announced it's rolling out new artificial intelligence (AI)-powered countermeasures to combat scams across Chrome, Search, and Android. The tech giant said it will begin using Gemini Nano, its on-device large language model (LLM), to improve Safe Browsing in Chrome 137 on desktops. "The on-device approach provides instant insight on risky websites and allows us to offer
Avatar
Read More