The cyber war in the Middle East was taken up a notch Thursday when Symantec’s Threat Hunter Team reported that they believe the Iranian Crambus espionage group (aka OilRig, MuddyWater, APT34) staged an eight-month-long intrusion against an unspecified government in the Middle East.
In a blog post Oct. 19, Symantec’s researchers reported that Crambus has a long-running track record of mounting operations against many countries in the Middle East, including Saudi Arabia, Israel, the United Arab Emirates, Iraq, Jordan, Lebanon, Kuwait, Qatar, and Turkey. They have also targeted Albania and the United States.
The Symantec researchers said Crambus has staged long-running intrusions for intelligence gathering and spying purposes. It has also added a heavy social engineering component in recent years during the early stages of its attacks. Crambus most recently came to attention last year when Microsoft linked the group to a destructive attack against the Albanian government.
“Over the past couple of years, Iran has focused their hacking on their perceived competitors in the region,” said Ben Read, Mandiant head of cyber espionage analysis at Google Cloud. “This has included numerous governments in the Middle East. We believe that Iranian groups, Including APT34, have targeted these governments to get insight into sensitive foreign policy decision making"
During this most recent attack, the Symantec researchers said Crambus stole files and passwords, and in one case, installed a PowerShell backdoor to monitor incoming emails sent from an Exchange Server. The attackers then executed commands in the form of emails and forwarded the results back to the threat group.
Symantec said malicious activity took place on at least 12 computers and there’s evidence that the attackers deployed backdoors and keyloggers on dozens more.
An environment for cyber warfare
The ongoing tensions and numerous proxy wars over the years between Iran and Israel have created an environment conducive to cyber warfare. The region has already seen various cyber and social media incidents since Hamas first launched its terrorist attack in southern Israel Oct. 7.
Early on, the Jerusalem Post’s website was taken down and the RedAlert app was attacked. On the social-media front, The New York Times has reported that even though it has been banned from Facebook, Hamas has been using social media to get its message out to people, especially on Telegram.
As far as any links to Iran, Callie Guenther, senior manager, cyber threat research at Critical Start, explained that Iran's alleged support of Hamas and other regional groups hostile to Israel suggests a multi-pronged strategy of influence, including various cyber operations.
“Given the intricate geopolitical web, groups like Crambus might be tasked with operations against Israeli infrastructure, gathering intelligence on Israeli military strategies, or disrupting systems to influence the physical battlefield,” said Guenther. “They could also engage in operations against states that side with or support Israel. Iran has previously been implicated in cyberattacks against Israel. In 2020, a series of cyber incidents, including an alleged Iranian attempt to compromise Israeli water infrastructure, highlighted the evolving nature of the conflict in the cyber realm.”
Security pros need to keep in mind that Iran and Israel have maintained an adversarial relationship since the Iranian Revolution in 1979 when the Shah of Iran was overthrown, Guenther added. The revolutionary leadership in Iran has consistently opposed Israel's right to exist, partly rooted in religious differences and partly in regional politics.
Guenther said Iran's alleged support for groups like Hamas and Hezbollah, as evident from multiple sources, serves as a means to exert influence and combat Israel indirectly.