Kaspersky Labs has detailed a large-scale nation-state backed malware campaign called Operation Parliament that is targeting governments and high-level officials in the Middle East and North Africa (MENA) regions.
Operation Parliament has been running since early 2017 with the clear intention of conducting espionage activities against top legislative, executive and judicial bodies around the world, but primarily in the MENA regions and more specifically Palestine, said Kaspersky's Global Research and Analysis Team. The malware in use provides a remote CMD/PowerShell terminal that allows for remote code execution and data exfiltration.
The campaign was first noticed during an investigation of a phishing attack in the MENA region, which was originally, and incorrectly, attributed a group called Gaza Cybergang. Kaspersky's researchers believe the campaign is an outgrowth of the always simmering tensions in the Middle East. However, several nations outside the region, including the United States and Russia, have also been attacked.
“Based on our findings, we believe the attackers represent a previously unknown geopolitically motivated threat actor,” Kaspersky said.
The attackers have cast a wide net targeting senates, parliaments, prime minister-level offices, financial institutions, media outlets and even an Olympic sports body. Despite the group's wide-ranging efforts and the number of targets hit, the malicious actors go to extraordinary lengths to stay in the shadows.
Those being Parliament make sure their attacks only hit their intended targets and they are able to safeguard their command and control servers.
“The targeting of specific victims is unlike previously seen behavior in regional campaigns by Gaza Cybergang or Desert Falcons and points to an elaborate information-gathering exercise that was carried out before the attacks (physical and/or digital),” Kaspersky said.
Helping keep their identities unknown is the use of an unknown malware type. Kaspersky noted the malware's strings and settings are encrypted using 3DES and Base64 encoding and while the functionality that indicates the malware is communicating with a C&C server the data sent there is encrypted the same way.
After being installed the malware first sends back basic information on the target device and then it has the ability to change code and remove specific data sets.