Cybersecurity threatscape in the Middle East: 2023–2024

In the Middle East, digital transformation continues as a strategic measure to diversify the economy and reduce dependence on raw materials. Enhancing cybersecurity and protecting critical infrastructure are key to ensuring the resilience of official digital initiatives.

For example, the United Arab Emirates (UAE) increased investments in cybersecurity as part of a new budget plan. Authorities announced the implementation of new cyberprotection standards for government institutions and introduced the largest-ever five-year budget (2022–2026), which, among other things, aims to strengthen cybersecurity.

Saudi Arabia launched the CyberIC program as part of its strategy to bolster national security and develop digital infrastructure. The program aims to support more than 60 cybersecurity startups and is being implemented in collaboration with the National Cybersecurity Authority (NCA). 

In the face of technological progress and an evolving cyberthreat landscape, advanced cybersecurity is crucial for sustainable development and protection in Middle Eastern countries. Companies and government institutions are facing diverse challenges that require comprehensive security measures and rapid response.

Development and implementation of innovative solutions

To enhance cybersecurity, local companies are investing heavily in cutting-edge technologies like AI and machine learning. These technologies are designed to prevent threats at early stages and optimize incident response.

For instance, the Saudi giant Saudi Aramco is deploying AI to secure critical infrastructure. The venture arm of the company invested $9 million in SpiderSilk, a UAE-based startup offering AI-powered cybersecurity services.

According to IBM's annual report, the increased use of AI and automation by organizations correlates with a reduction in the average costs of information security incidents. Organizations that don't use AI and automation face average losses of $5.72 million, while companies actively using these technologies reduced their costs to $3.84 million.

Legislative initiatives

Governments in the Middle East recognize the importance of protecting critical infrastructure and data amidst growing cyberthreats, and are implementing legislative initiatives to bolster cybersecurity. 

On September 14, 2023, Saudi Arabia's first-ever data protection law came into effect. Companies operating in the Middle East must assess the impact of the new legislation on their data processing practices and ensure compliance with the new requirements.

In Jordan, the Cybercrime law No. 17 of 2023 came into force on September 13, 2023, replacing the Cybercrime law of 2015. The new law, consisting of 41 articles, introduces enhanced measures to combat cybercrime. 

Training and skill development

A key element of national sovereignty is interstate cooperation in developing a skilled workforce. This includes training specialists to protect critical government sectors, conducting joint cyber exercises to enhance the competencies of cybersecurity agencies, and implementing joint educational programs.

Partnering with leading universities and educational institutions enables states to create professional development programs. Educational programs at higher education institutions play a key role in training specialists in the UAE. To this end, the Commission for Academic Accreditation (CAA) added 11 cybersecurity training programs to the national registry. 

Saudi Arabia also started investing heavily in digital education: the government created  the National Information Technology Academy in collaboration with Saudi Aramco and IBM to train and develop local talent. When it comes to partnering with businesses, Google, Amazon, and Oracle are partners  in a $1.2 billion program created to enhance the digital skills of Saudis. 

Partnerships and collaboration

Cybersecurity conferences stimulate the exchange of knowledge and experience. The UAE hosts the annual Gulf Information Security Expo & Conference (GISEC) and Gulf Information Technology Exhibition (GITEX), thereby providing a platform for discussing current cybersecurity issues and facilitating business deals. 

For instance, Cisco announced a landmark collaboration with the telecom operator du (Emirates Integrated Telecommunications Company). The initiative focuses on transforming du's SOC into an advanced cyberdefense hub, leveraging AI and automation to enhance security and operational efficiency.

According to research by IBM, the average cost of cyberattacks on organizations in the Middle East is $8.75 million, nearly double the global average. Escalating cyberthreats pose significant financial and reputational risks for businesses. 

From Q3 2023 to Q2 2024, we observed a trend in the Middle East where cyberattacks on regional organizations mirrored the geopolitical situation. This indicates an evolution in modern conflict strategies, where cyberattacks have become part of modern warfare. In Q1 2023, during the escalation of the conflict between Israel and Hamas, the number of successful cyberattacks in the region doubled compared to the same period last year; and in Q1 2024, it tripled.

At the beginning of the conflict, most of the attacks targeted Israel and Palestine, but they later spread to neighboring countries, attracting hackers and cybercriminals from around the world.

Various hacktivist organizations declared that they would participate in cyberattacks on one side or the other of the conflict. Among these groups is Mysterious Team Bangladesh, known for its frequent cyberattacks against France. The group declared its readiness to launch cyberattacks against Israeli targets and called for collective action. Additionally, Mysterious Team Bangladesh carried out a DDoS attack on the Organization of Islamic Cooperation's website, demanding in the team's Telegram channel that strict measures be taken against Israel.

Since mid-November 2023, another hacktivist group involved in the conflict published vast amounts of confidential data belonging to Israeli companies and government institutions, including the Ministry of Health, the Nature and Parks Authority, the Ministry of Welfare and Social Services, the Securities Authority, the state payment gateway, and the national archive.

The Middle East has been frequently targeted by APT groups—cybercriminal gangs executing multistage, meticulously planned attacks against specific industries or groups of industries. APT groups carried out complex and prolonged attacks aimed at reconnaissance, sabotage, and data theft. Almost all of the APT groups we studied attacked government institutions at least once, with 69% of such groups targeting the energy sector, highlighting their interest in destabilizing critical infrastructure. Water supply, transportation systems, as well as electrical and communication networks are the backbone of a well-functioning state. In Q4 2023, we saw a surge in attacks on water supply systems. Incidents in these systems can lead to non-tolerable events, such as large-scale power outages and water supply disruptions, which in turn may have significant social and economic consequences. A hacker group disrupted operations at 70% of gas stations in Iran: the gas stations had to shut down due to software issues. Al Jazeera noted that this same group had previously claimed responsibility for cyberattacks on Iran's rail networks and steel factories.

From Q3 2023 to Q2 2024, government institutions were most frequently targeted (24% of all attacks), followed by manufacturing companies (17%), telecommunications (7%), and IT companies (7%).

Government agencies

Government agencies store vast amounts of confidential information, including personal data of citizens, state secrets, and other restricted information. This information can be extremely valuable to cybercriminals. According to our research on confidential information leaks, in H1 2024, the majority of ads offering data of government institutions on dark web forums were related to Middle Eastern countries (16%). The region is targeted by APT groups that mainly attack governmental organizations, which explains the aforementioned trend.

Sometimes, data falls into the wrong hands because of insiders who, whether accidentally or intentionally, misuse their access to an organization's network. According to the CPX report, 23% of threats detected in UAE organizations came from internal attackers.

Manufacturing

Nearly a third (28%) of cyberattacks on manufacturing companies in the Middle East involved ransomware. Manufacturing companies also suffered from wipers, a malware designed to destroy user and system data, which can subsequently lead to equipment failure. The compromise of ICS infrastructure was particularly dangerous, as it can cause significant disruptions in the operation of critical facilities. For example, criminals used the BiBi wiper, which renders the data of targeted systems inaccessible or unusable, in attacks against Israeli organizations. 

Telecommunications

Telecommunication companies were one of the top targeted sectors in the Middle East, accounting for 7% of all incidents. Such companies process and store customer data and are often used as a stepping stone in attack chains on organizations in other industries. This data can be used for various purposes, including blackmail, identity theft, and further targeted attacks. 

Moreover, cybercriminals can use access to telecom companies to spread malware, potentially leading to mass infections of user devices and cyberattacks on government networks. Once they gain access, cybercriminals can use it to wreak havoc during times of geopolitical tension.

According to researchers from SentinelOne, regional telecom providers were attacked as part of the multistage campaign Operation Soft Cell. The attack was neutralized before any non-tolerable events occurred. Interestingly, malicious activity within this campaign had been ongoing since 2012.

IT

IT companies ranked among the top targeted industries in the Middle East, accounting for 7% of attacks. These companies serve a diverse range of clients, from large corporations to government agencies. This makes them particularly attractive targets, as a successful attack on an IT company can compromise a significant number of its clients. For instance, the APT34 group, targeting government clients of IT companies, created a fake website that mimicked a UAE company and sent out fake job application forms on its behalf. When the document disguised as a job application was opened, malicious code was executed, designed to steal confidential information.

IT companies also store large amounts of critical data, such as intellectual property and user information. If compromised, this data can yield significant profits for cybercriminals through sales on the black market. 

86% of attacks on organizations involved the compromise of workstations, servers, and network equipment. Successful attacks on web resources accounted for 27% of the total number of attacks. 

The most popular method of attack in the Middle East was the use of malicious software. This trend was also covered by our previous research. By using malicious software, attackers can steal confidential information or bring operations to a halt. 

Malware

Remote Access Trojans (RATs) became the most common type of malware in attacks on organizations, accounting for 33% of cases. Spyware took second place, used in one out of every five successful attacks involving malware. In 19% of cases, attackers used ransomware, which is similar to the previous period.

Modern versions of Remote Access Trojans (RATs) can disguise themselves as legitimate applications and use various methods to bypass antivirus programs. This allows RATs to remain undetected on infected devices for extended periods, making them a favorite tool among cybercriminals.

Government institutions (31%), manufacturing companies (25%), and healthcare organizations (13%) were the most frequent victims of ransomware operators. Even the Ministry of Finance of Kuwait fell victim to a ransomware attack. The government confirmed that during the attempt to breach the system using malware, payment and payroll systems were affected and had to be shut down until the investigation was completed.

Telecommunication companies also suffered from ransomware attacks. For example, a cybercrime group carried out an attack on Etisalat (UAE) using the LockBit ransomware. Confidential files belonging to Etisalat were put up for sale on the hackers' website for $100,000. The criminals also set a deadline, after which they threatened to destroy all compromised data.

Social engineering

In more than half of successful attacks on Middle Eastern organizations in this study, criminals used social engineering (54%). AI-based phishing and machine learning technologies significantly facilitated the use of social engineering. According to research by Acronis, the development of generative AI systems led to an increase in malicious content and a rise in AI-driven phishing attacks, affecting over 90% of organizations. In 2023, the number of attacks by email surged by a staggering 222% compared to H2 2022. 

Since February 2024, Check Point specialists detected over 50 phishing campaigns targeting Israeli municipalities, airlines, travel agencies, and media outlets as part of the malicious activities of the MuddyWater APT group. Some emails offered to download a new application, while others provided access to training courses.

Vulnerability exploitation

Attacks exploiting vulnerabilities accounted for 35% of cases, highlighting the popularity of this method of attacks against organizations in the Middle East. Here are the main reasons for this:

The rising number of vulnerabilities. The number of vulnerabilities is constantly on the rise according to the National Institute of Standards and Technology (NIST). The number of vulnerabilities discovered in 2023 (28,902) surpassed that of 2021 (20,155) and 2022 (25,081) by 42% and 14% respectively. In 2023, the UAE's Computer Emergency Response Team (aeCERT) reported that the CVE-2021-36260 remote code execution vulnerability (Hikvision camera vulnerability) accounted for 32% of exploitation cases. By exploiting this vulnerability, a malefactor can gain full control over the compromised device.

A growing number of connected devices. The number of IoT devices and other internet-connected systems that expand the attack surface is rising. Manufacturing and transportation companies in the Middle East implemented IoT devices to enhance efficiency and automate processes. However, many of these devices have vulnerabilities and security flaws that can be exploited by attackers. 

The growth of cybercrime as a business. Cybercriminals are developing and selling exploits and attack tools, facilitating widespread exploitation of vulnerabilities.

The impact of attacks against Middle Eastern organizations: a surge in data leaks 

The leak of confidential information was the most frequent consequence of successful attacks on Middle Eastern organizations during the reviewed period. Notably, the share of data leaks among other consequences significantly increased by Q2 2024. We expect this trend to continue in the future.

 In most cases, personal data was stolen from the information systems of trade and financial organizations. One of the leading retail chains in the UAE, Lulu Hypermarket, headquartered in Abu Dhabi, fell victim to a data breach. As a result of the incident, over 200,000 customer records were compromised, including personal details such as email addresses and phone numbers.

The region's public sector also suffered data leaks. One such victim was the INC Ransom group, who claimed to have compromised the US-Saudi Arabian Business Council, a non-profit organization that fosters cooperation between businesses in both countries. The attackers claimed to have obtained 200 GB of data, including financial documentation, email correspondence, confidential agreements, and contracts.

Credential leaks was another common threat for organizations, accounting for 18% of all incidents. Credentials are a popular target of attackers because they can be used to penetrate the system or sold on the dark web.

The highest number of data leak and sale ads was recorded in the UAE (34%), Israel (29%), and Iran (14%). This can be put down to the high level of digitalization and the complex geopolitical landscape in question.

The share of cyberattacks on individuals halved compared to the previous period, accounting for 10%. Cybercriminals optimized their methods, shifting focus from mass attacks to more targeted attacks on specific organizations. This helped them achieve significant results with fewer resources. At the same time, data leaks provided cybercriminals with numerous opportunities for attacks on individuals, such as phishing, social engineering, and fraud. Armed with stolen data from organizations, cybercriminals can craft robust attack scenarios, increasing the chances of success. A significant increase in phishing attacks, both in Bahrain and across the region, was noted by the Chief Information Security Officer of the National Bank of Bahrain (NBB). He emphasized that cybercriminals were increasingly targeting minors in attempts to obtain confidential information about their parents' credit cards.

Most cyberattacks on individuals were carried out using malware (77%). Most often, individuals' devices were infected with data-stealing malware, including spyware (55%), Remote Access Trojans (RATs) (18%), and banking trojans (9%).

Spyware in the Middle East was used to steal personal and financial data, as well as to spy on political activists and journalists. Amid external and internal conflicts, the use of spyware rose by 13%. Independent investigations in Jordan uncovered new cases of the installation of sophisticated Pegasus spyware, which poses a significant threat to privacy. Pegasus can covertly activate microphones, cameras, and access users' messages and data.

Some malware variants targeted individuals specifically in the Middle East. For instance, McAfee's Mobile Research Team discovered an Android malware pretending to be an official app of a Bahraini government agency, offering services for applying for driver's licenses and ID cards. The malware spread through social media and SMS using social engineering, with the goal of financial fraud, as confirmed by the victims.

In the previous period studied, the share of cyberattacks on mobile devices and personal computers was similar. However, from Q3 2023 to Q2 2024, attacks on mobile devices became predominant, growing by 23%. 

Mobile devices became an attractive target for cybercriminals, who then used them to quickly access financial resources, personal data, and other valuable information. For example, researchers from Zimperium discovered over 200 fake mobile Android apps that mimic applications of major Iranian banks to steal information from their clients. The increased use of mobile devices for financial transactions is attractive to cybercriminals, making fraud involving mobile payments and banking apps more frequent.

Recommendations for individuals

Here are the latest recommendations for individuals in the Middle East to help them protect their personal information and minimize the risks of cyberattacks:

• Don't use the same password for different accounts.
• Consider using a password manager to store and create complex passwords.
• Enable two-factor authentication for all important accounts (including email, social media, and banking services).
• Install and regularly update antivirus software to protect against malware that can steal your data.
• Enter credit card information only on well-known and verified websites.
• Never share personal information, such as passwords or credit card details, via email or phone unless you are sure the request is legitimate.
• Download apps only from official stores like Google Play and the App Store.
• Before installing an app, make sure it is developed by a trusted company.
• Teach children not to share personal information (name, age, address, phone number) with strangers online.

The impact of the geopolitical situation 

Rising tensions may lead to an increase in DDoS attacks on media and government institutions. 

Hacker groups could form alliances and coordinate their actions to carry out complex and large-scale attacks. Participants of such alliances will be able to exchange knowledge and resources, including computing power, botnets, and access to various vulnerabilities. This will enhance the effectiveness of attacks and make them more destructive.

To participate in DDoS attacks, attackers can recruit volunteers to use their internet resources to disable target web servers. The volunteers will simply need to set up the provided DDoS tools and launch the attack—no deep technical knowledge is required. The main requirement is their willingness to participate.

Cyberattacks on critical infrastructure

Middle Eastern countries import around 85% of their food, whereas its water supply is provided through seawater desalination systems. Energy costs for cooling are another critical factor affecting the region's economic stability. High temperatures for much of the year require intensive use of air conditioning systems. In some countries, 70% of all electricity in summer goes towards air conditioning.

Cyberattacks on critical infrastructure can trigger non-tolerable events in any region. In the Middle East, they can lead to disruptions in energy and water supply, potentially causing economic crises and humanitarian issues.

The shift in cybercriminal motives towards financial gain

Hacktivists, originally motivated by political or social goals, could shift their technical skills to profit-driven attacks to support their organizations or meet personal needs.

Darknet markets, where stolen data, hacking tools, and other valuable assets are sold, motivate cybercriminals to commit financial crimes, with instances of ransom payments or data sales inspiring copycat actions. Examples of successful cyberattacks that gain widespread attention create the illusion of easy money.

The financial sector is a prime target for financially motivated cyberattacks because of the concentration of confidential data and funds. The industry faces challenges like vulnerabilities related to remote work and clients sharing their credentials with third parties during digital banking. This complicates information security management in the financial sector.

According to analysts' forecasts, the development of the banking system and favorable conditions for international banks are driving the growth of the cybersecurity market in the Middle East, projected to reach $23.4 billion by 2028, with a compound annual growth rate (CAGR) of 9.6%. With increasing digitalization and more online transactions, financial organizations will need to strengthen measures to protect against threats such as phishing, malware, and insider threats.

Cyberattacks on cryptocurrencies

According to a Chainalysis report, the MENA region is one of the fastest-growing cryptocurrency markets in the world, with a projected value of $389.8 billion. However, alongside these positive trends, cyberthreats are on the rise, posing serious risks to participants in the cryptocurrency market.

Unlike banking systems, where customer funds are protected by multiple layers of security including authentication, encryption, and real-time transaction monitoring, cryptocurrencies are stored in digital wallets vulnerable to phishing, malware, and other types of attacks.

Moreover, cryptocurrency exchanges and decentralized finance platforms themselves become targets for attacks. Hacks, smart contract exploits, and infrastructure attacks can lead to significant asset losses. For example, the cryptocurrency exchange Rain licensed in the UAE and Bahrain confirmed a serious hacking incident, resulting in losses of around $15 million.

Cyberattacks on industrial IoT and smart city infrastructure

The implementation of IoT devices in industry and smart city infrastructure significantly enhances efficiency, automation, and quality of life. The IoT market is anticipated to generate a revenue of $11.96 billion by the year 2024, with a compound annual growth rate (CAGR) of 10.39% from 2024 to 2028. However, the rapid development of IoT technologies brings with it serious cybersecurity challenges.

The expansion of connected devices increases the attack surface, giving cybercriminals new vectors for breaking in. The main sources of vulnerabilities are insufficient protection of devices at the hardware and software levels, a lack of security standardization, and underestimation of risks by organizations.

Remote access to critical systems can lead to non-tolerable events, including disruptions in production processes, interruptions in city services, and even physical damage to infrastructure. For example, compromising a traffic management system could cause chaos on the roads, and an attack on power supply systems could paralyze an entire metropolitan area.

Cyberattacks on public service systems

Digital transformation facilitates how citizens interact with government agencies. In 2023, Bahrain made a significant leap towards digitalization in its government services, conducting around 10.4 million transactions through digital channels. This led to an 85% reduction in operational costs for the government.

Superapps act as a single entry point for various government systems and services, making them high-priority targets for targeted attacks. A breach of such an app can provide access to numerous databases and services with minimal effort. 

According to Gartner forecasts, by 2027, more than 50% of the global population will be daily active users of multiple superapps. An example of a superapp is Qatar's official e-government portal Hukoomi, which offers over 1,400 services online.

To address growing challenges, it is important to develop and implement a comprehensive state-level cybersecurity strategy. This strategy should include the protection of critical infrastructure, coordination between public and private sectors, and international cooperation for sharing information and resources.

Given the rise in cybercrime and the severe consequences of cyberattacks, organizations in the Middle East must prioritize cybersecurity. They need to use tools, services, and methodologies to improve their ability to monitor and respond to security incidents, while also raising awareness and vigilance among employees to prevent cyberattacks. One of the most effective solutions is a comprehensive approach to result-driven cybersecurity. This involves creating a continuous, automated protection system for the entire IT infrastructure, tailored to the specifics of an organization's activities and business processes.

To build such a system, organizations need to identify and assess the information assets that require protection. They should also identify non-tolerable events resulting from a cyberattack and preventing the organization from achieving its operational or strategic goals, or significantly disrupting its core activities.

Once the assets and non-tolerable events are identified, organizations should take measures to assess the security of their systems (conduct cyber exercises and penetration tests) and verify non-tolerable events (by assessing the likelihood of their occurrence). Based on the security assessment results, the organization should select protection components that will ensure the three main elements of result-driven cybersecurity:

Monitoring

A real-time security system must monitor what is happening with the protected assets and how well the infrastructure elements comply with security standards.

Implementing SIEM (security information and event management) systems allows an organization to track and analyze security events, detect attacks, and assess the compliance of protected infrastructure elements with security requirements.

To detect attacks in industrial systems, SIEM solutions can be enhanced with specialized products for analyzing traffic in ICS networks. These products monitor unauthorized actions and malware activity without negatively impacting production processes.

Response

The system must understand the hacker's intent to swiftly and effectively respond to incidents, while also preventing non-tolerable events.

Combining XDR (extended detection and response) with SIEM solutions enables organizations to detect attacks within the infrastructure and respond to them both manually and automatically. Threat detection and response capabilities can be enhanced by using a sandbox for statistical and dynamic analysis of threats, helping to detect advanced malware. For expert incident investigations, NTA (network traffic analysis) solutions are used for deep traffic analysis and detecting malicious activity. NTA systems also serve as sensors for SIEM solutions, providing information about the network status and helping with proactive threat hunting.

Asset management

A key function of a security system is the continuous inventory and classification of assets, taking into account non-tolerable events and ways that cyberattacks could develop.

VM (vulnerability management) systems automate asset management and the detection and remediation of vulnerabilities in infrastructure components based on the severity level of vulnerabilities and importance level of assets. VM systems also monitor the level of infrastructure protection against vulnerabilities exploited in real-world attacks.

If an organization develops software products and web applications, it's essential to implement secure development processes and use source code analysis tools to identify vulnerabilities and design flaws during the development phase.

Using bug bounty platforms can help organizations establish a continuous vulnerability assessment process for their services and optimize security costs.

Employees are the main asset of any organization and, at the same time, one of the main vectors for attacks on corporate systems. Enhancing employees' cybersecurity awareness is essential for building a robust defense for a company. Following digital hygiene rules reduces the likelihood of endpoints being compromised, as users who are aware of the latest threats will not open attachments from suspicious emails or connect unfamiliar devices. Instead, they will report suspicious activity and attack attempts to the security operation center (SOC).

A combination of properly configured security tools, an experienced cybersecurity team, and process continuity enables maximum automation and centralization of security management, achieving the ultimate goal: protecting the organization from non-tolerable events.

This report presents an analysis of current information security threats in the Middle East, based on internal expertise from Positive Technologies, data from the dark web, and information from authoritative sources. The research is aimed at organizations and individuals interested in the current state of information security.

The term "Middle East" in this report refers to the following countries: Bahrain, Cyprus, Egypt, Iran, Iraq, Israel, Jordan, Kuwait, Lebanon, Oman, Palestine, Qatar, Saudi Arabia, Syria, the United Arab Emirates (UAE), and Yemen. The currency mentioned is the United States dollar (USD).

Our research aims to uncover the most relevant methods and motives behind cyberattacks, as well as identify key trends in the evolving cyberthreat landscape.

We believe that most cyberattacks remain undisclosed due to reputational risks, making it challenging to accurately determine the number of threats, even for organizations specializing in incident investigations and analyzing cybercriminal groups.

In this report, each mass attack, such as a phishing campaign targeting multiple addresses, is considered a single event rather than several individual incidents. All terms used in the report are provided in the glossary on the Positive Technologies website.