Iranian hackers caught spying on governments and military in Middle East

Jason Macuray
An Iranian nation-state threat actor is targeting high-profile organizations in the Middle East in an ongoing espionage campaign, according to a new report.

An Iranian nation-state threat actor is targeting high-profile organizations in the Middle East in an ongoing espionage campaign, according to a new report.

Tracked as Scarred Manticore, the group primarily targets government, military, and telecom sectors in Saudi Arabia, the United Arab Emirates, Jordan, Kuwait, Oman, Iraq, and Israel.

In recent years, Scarred Manticore has been quietly conducting secret operations in Middle Eastern countries, infiltrating telecommunications and government entities to systematically exfiltrate data from their systems, according to researchers at Check Point, one of the companies that investigated this campaign.

Check Point believes that Scarred Manticore is affiliated with Iran’s Ministry of Intelligence and Security (MOIS). The location of the group’s victims aligns with Iranian interests and matches the typical victim profile that MOIS-affiliated clusters usually target in espionage operations, the researchers said.

Scarred Manticore has been active since at least 2019, and over the years its toolset has undergone significant changes.

The tools and capabilities used by the group in their ongoing campaign, which reached its peak in mid-2023 and had remained under the radar for at least a year, “demonstrate[s] the progress that Iranian actors have made over the past few years,” researchers said.

For example, in their latest attacks the group used advanced malware known as Liontail — a sophisticated backdoor that allows attackers to execute commands remotely through HTTP requests.

According to Check Point, the group is known for generating a unique implant for every compromised server, making their malicious activities indistinguishable from legitimate network traffic. These customization features allow Liontail operators to evade detection for an extended period, according to Check Point.

While Liontail appears to be unique and shows no clear code overlaps with any known malware family, other tools used by Scarred Manticore in this campaign do overlap with previously reported activities, particularly those associated with the Iranian hacker group OilRig or its affiliates.

“We do not have sufficient data to properly attribute the Scarred Manticore to OilRig, even though we do believe they’re likely related,” the researchers said.

Some of the tools used by the group have also been associated with the destructive attack against Albanian government infrastructure, allegedly sponsored by MOIS.

The researchers predict that Scarred Manticore operations will continue and could extend into other regions in line with Iranian long-term goals.

On Tuesday, FBI Director Christopher Wray called Iran “the world’s largest sponsor of terrorism” and noted that Hezbollah — Terhan’s “primary strategic partner” — has a history of spying in the U.S.

He also warned that digital attacks against the U.S. by Iran and non-state actors could worsen if the conflict between Israel and Hamas grows.

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk
is a freelance reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.


Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

NSO Group hires high-powered lobbyists to help navigate US market

Next Post

Russian security service detains two hackers allegedly working for Ukraine

Related Posts

Former CIA Engineer Sentenced to 40 Years for Leaking Classified Documents

A former software engineer with the U.S. Central Intelligence Agency (CIA) has been sentenced to 40 years in prison by the Southern District of New York (SDNY) for transmitting classified documents to WikiLeaks and for possessing child pornographic material. Joshua Adam Schulte, 35, was originally charged in June 2018. He was found guilty in July 2022. On September 13, 2023, he was&
Jason Macuray
Read More

McDonald’s serves up a master class in how not to explain a system outage

The global outage that last month prevented McDonald's from accepting payments prompted the company to release a lengthy statement that should serve as a master  class in how not to report an IT problem. It was vague, misleading and yet the company used language that still allowed many of the technical details to be figured out. (You know you've moved far from home base when Burger King UK makes fun of you— in response to news of the McDonald's outage, Burger King played off its own slogan by posting on LinkedIn: “Not Loving I.T.”)The McDonald's statement was vague about what happened, but it did opt to throw the chain’s point-of-sale (POS) vendor under the bus — while not identifying which vendor it meant. Classy.To read this article in full, please click here
Read More