How APT groups operate in the Middle East

A significant portion of the Middle East's economy is driven by the extraction of natural resources. The biggest growth in global oil production was in the Middle East, including Saudi Arabia and the United Arab Emirates (UAE). The region is home to a high concentration of industrial companies and enterprises in the energy sector. These organizations, alongside government agencies, actively employ information technologies. Digitalization has led to significant economic and social growth in Middle Eastern countries. All these factors combine to make the region an attractive target for cyberattacks.

Our specialists recorded details of 141 successful attacks on Middle Eastern countries. More than 80% of these attacks were targeted. One of the primary motives of cybercriminals targeting the Middle East is the theft of valuable information. So, while investigating cybercriminal interests in the Gulf countries, our specialists found that personal data, logins and passwords for online services, and confidential company documentation are among the most discussed items on dark web shadow markets.

The Middle East regularly faces attacks from APT groups—cybercriminal groups carrying out multi-stage, carefully planned attacks targeting a specific industry or group of industries. Their objective in the Middle East is to obtain information that can provide political, economic, and military advantages. Some APT groups have also been observed in hacktivist campaigns and operations aimed at sabotage.

Top of the list of the most attacked countries are Saudi Arabia and the UAE. Companies around the world have offices on their territory; they are considered important players in the Middle East and, as such, are attractive targets for various groups attacking the region.

The list of industries most-attacked by APT groups looks fairly typical. Almost all the studied APT groups operating in the Middle East have, at least once, targeted government institutions and industries, with 69% of the groups attacking the energy sector. It's noteworthy that government agencies are the most attractive targets for all attackers, accounting for 22% of the total number of attacks on organizations in Middle Eastern countries in 2022–2023.

We can also highlight the military-industrial complex, which, due to the geopolitical features of the region, is quite high in the ranking. Middle Eastern media are also frequently targeted compared to other regions, and have historically maintained a high ranking. In addition, after the start of the Israeli operation in the Gaza Strip, the military-industrial complex and the media have been facing even more frequent attacks, including from groups mentioned in this article. The telecommunications sector is among the top five attacked industries. Attacks from Chinese-origin groups play a role here, as telecommunications have long been one of their main targets due to increased interest in 5G.

Next, we will explore the techniques used at different stages of attacks by APT groups in Middle Eastern countries. We will also discuss the measures organizations need to take to avoid falling victim to APT attacks and suffering serious damage.

Complex, targeted attacks begin with reconnaissance. Attackers may conduct extensive network scanning (Active Scanning) to identify suitable targets. As a result, they gain enough information for the initial stage of penetration. This information may include, for example, a list of public systems containing known vulnerabilities (T1595.002). Additionally, attackers may gather lists of subdomains and open web directories for future use in placing web shells (T1595.003). For instance, the Volatile Cedar group used the DirBuster and Gobuster utilities for these purposes.

The APT35 group, targeting mainly Saudi Arabia and Israel in the Middle East, gathered information about employees of target organizations (Gather Victim Identity Information), including mobile phone numbers. These numbers could be used to send messages with links to mobile malware for spying and data theft. The group tracked the IP addresses (T1590.005) and locations (T1591.001) of visitors to their phishing sites. In addition, they identified valuable email addresses (T1589.002) to use as a starting point for their attacks. The Hexane group previously established the identities of managers and employees from the HR and IT departments of target organizations (T1591.004).

After reconnaissance comes the preparation of the tools for the attacks. Cybercriminals may register fake domains (T1583.001) and create email accounts (T1585.002) or social media accounts (T1585.001) for spear phishing. APT35, for example, registered accounts on LinkedIn and other social networks to contact victims and, through messages and voice calls, persuaded them to open malicious links.

To enter the internal network, cybercriminals need a point of entry—a user's work computer or a server, which they infect with malware for further movement within the organization's network. Most APT groups initiate attacks on corporate systems with targeted Phishing. Most often, this involves email campaigns with malicious content (T1566.001, T1566.002). Besides email, some attackers (APT35, Bahamut, Dark Caracal, OilRig) use social networks and messengers for phishing attacks (T1566.003).

The APT35, Bahamut, and Dark Caracal groups infected victims with malware using the watering hole method. In such attacks, attackers compromise web resources that potential victims often visit, so malware gets loaded onto their computers without detection (Drive-by Compromise).

Some attackers gained access to internal infrastructure through vulnerabilities in resources accessible on the internet (Exploit Public-Facing Application). For example, APT35 and Moses Staff exploited a combination of ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) on Microsoft Exchange servers to gain initial access and subsequent control. The APT35 and MuddyWater groups exploited the critically dangerous Log4Shell vulnerability in the Apache Log4j library (CVE-2021-44228, CVE-2021-45046, CVE-2021-44832).

After gaining initial access, attackers seek to establish a foothold in the infrastructure. They take measures to ensure that they can return to the victim's company. To persist in the system, 69% of APT groups use task scheduling (Scheduled Task/Job). In a campaign against the UAE government described by Fortinet specialists in May 2023, the OilRig group created a scheduled task named MicrosoftEdgeUpdateService that triggered every five minutes and launched malicious software.

The majority of attackers (56%) configure the compromised system to automatically execute malware (Boot or Logon Autostart Execution). They do this through registry run keys or by placing a malicious program within a startup folder (T1547.001). For example, the Bahamut group created LNK files in the startup folder, while Dark Caracal's Bandook trojan added a key to HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run.

A third of APT groups (31%) configured the execution of malicious code based on a specific event (Event Triggered Execution) to establish persistence in the system. For example, the APT33, Mustang Panda, and Stealth Falcon groups established themselves in victim infrastructures by creating subscriptions to WMI events (T1546.003).

If corporate server applications allow administrators to install software, attackers may exploit this to install malicious components (Server Software Component). Thus, 25% of APT groups injected web shells into compromised nodes (T1505.003) to establish persistent access to victim networks. Web shells can be used not only for persistence but also for information gathering. For example, the OilRig group's ExchangeLeech web shell monitors traffic and harvests credentials of users logging in to the server using clear text and basic authentication. The operator can request a list of collected logins and passwords by sending the corresponding command to the web shell through specially designed cookies.

After penetrating a corporate network, attackers examine the environment they have accessed to understand how to proceed. Primarily, attackers are interested in data about the operating system and architecture of the compromised host, as well as information about software versions, installed patches, and update packages (System Information Discovery). For instance, one malware from APT35 used a PowerShell command to determine if the host's processor has x64 architecture, while other malware from this group obtained the operating system version, UUID, and node name and transmitted them to the C&C server.

Attackers gather information about the network configuration and parameters of the compromised system (System Network Configuration Discovery). They launch network diagnostic utilities and malware with corresponding functionalities. The Mustang Panda group used the ipconfig and arp utilities, while the Hexane group used ping and tracert. The Dark Caracal group used a remote access trojan called Bandook, which has a command to obtain the public IP address of a host

Most criminal groups try to identify users in the compromised system and determine their level of activity (System Owner/User Discovery). For this purpose, attackers run system utilities or malware with the relevant functionality. The Caterpillar web shell, developed by the Volatile Cedar group, allows attackers to get system information, network configuration data, lists of user accounts, and more.

Attackers study processes running on compromised hosts (Process Discovery). Both system utilities and malware can be used for this purpose. For example, the APT15 and OilRig groups collected process information using the tasklist command-line utility. The Bitter group used malware that took snapshots of running processes by calling the CreateToolhelp32Snapshot function from the Windows API.

Attackers search for any potentially useful information in files and directories on compromised hosts (File and Directory Discovery). File listing was one of the functionalities of applications deployed by the Bahamut group in the Operation BULL and Operation ROCK campaigns. The MuddyWater APT group used malware that checked the ProgramData directory for subdirectories or files with keywords such as "Kasper", "Panda", or "ESET". The Desert Falcons group has a tool for recursively scanning directories on all disks and searching for specific files by their paths.

To access desired information, attackers may need additional credentials. One common technique is extracting passwords from the memory of system processes (OS Credential Dumping). The APT15, APT33, APT35, MuddyWater, and OilRig groups used publicly available tools like Mimikatz or LaZagne for this purpose (T1003.001, T1003.004, T1003.005). The APT15 and Mustang Panda groups extracted accounts from the NTDS.dit file, the database storing Active Directory information (T1003.003). Mustang Panda used the vssadmin system utility, designed to manipulate shadow copies. They used it to create a shadow copy of the victim domain controller's volume and extract from it the NTDS.dit file, which stores the hashed passwords of all domain users.

Another common technique for obtaining accounts is to intercept data entered by the victim on a compromised device (Input Capture). To implement this, attackers use specialized malware known as keyloggers. For instance, the APT15, APT35, Bahamut, Desert Falcons, Molerats, and Volatile Cedar groups possess keyloggers.

Some groups extracted credentials from specialized stores (Credentials From Password Stores), including browsers (T1555.003). The OilRig and Stealth Falcon groups stole them from the Windows Credential Manager (T1555.004).

There are other methods for collecting credentials. For example, the APT33, Hexane, OilRig, and Volatile Cedar groups obtained passwords through Brute Force. This works in organizations with weak password policies, where employees can set weak passwords. Unsecured or weakly protected logins and passwords (Unsecured Credentials) make easy targets. This includes passwords stored by administrators in Group Policy Preferences (T1552.006). Despite these passwords being encrypted, there are specialized tools that can extract and decrypt them. For example, the APT33 group used the Get-GPPPassword utility for this purpose.

The majority (56%) of APT groups took screenshots of victims' screens (Screen Capture) and transmitted them to their servers. Some recorded videos from the victim's screen (Video Capture) and audio from the microphone (Audio Capture). Malware, including self-developed tools like StrifeWater and CANDYKING, was used for screenshots, videos, and audio recordings. The Dark Caracal group used the Bandook malware, which has modules capable of capturing video from the victim's webcam and sound from the microphone.

Attackers sought valuable information directly on employees' computers, including user and configuration files and local databases (Data From Local System). For instance, the Dark Caracal group collected the entire contents of the Pictures directory from compromised Windows hosts.

Some groups archived collected data. For example, the Mustang Panda group used an archiver to create password-protected archives of collected documents (T1560.001) and encrypted files with RC4 (T1560.003) before sending them to the attackers' server. The Molerats group used the DustySky tool, which created temporary directories to store collected files and allowed them to be archived before being sent outside the corporate infrastructure. One in four groups automated data collection.

As and when needed, APT groups loaded additional tools to maintain and expand their foothold in the victim's infrastructure (Ingress Tool Transfer). Transfer was carried out through communication channels with C&C servers or alternative protocols. 88% of groups used common application layer protocols to communicate with the C&C server. For example, APT35 interacted with its command center using the IRC protocol, while the OilRig group used the DNS protocol (T1071.004), specifically the public tunnel service requestbin.net. The MuddyWater group's Small Sieve malware interacted with its command center via the Telegram API over HTTPS (T1071.001). Using common application layer protocols leads to malicious activity being mixed with legitimate traffic, complicating detection.

63% of APT groups used encryption to disguise communication channels (Encrypted Channel). Most groups encrypted traffic using the symmetric AES and RC4 algorithms (T1573.001). The OilRig group used the plink utility (T1573.002) to create tunnels.

To exchange information and files with the C&C server, every third group used external legitimate web services (Web Service). For example, APT35's malware operated through the SOAP web service. The MuddyWater group exploited the Onehub cloud storage to distribute remote access tools. The Mustang Panda group used Dropbox to distribute the PlugX Trojan.

The OilRig group employed an interesting method of controlling malware in a campaign described by Symantec. The attackers used the victim's Microsoft Exchange mail server as a C&C, sending emails to compromised mailboxes with "@@" symbols in the subject lines. The PowerExchange backdoor recognized these emails, executed the instructions contained in them, and then automatically deleted them. Exchange server requests from the internal network didn't raise network traffic anomalies, allowing the attackers to remain unnoticed for a long time. According to Symantec, OilRig's campaign lasted from February to September 2023.

For APT groups, it's crucial to remain unnoticed in a compromised environment for as long as possible. They employ various methods to hide traces of their presence. Typically, attackers pre-test samples of their malware and subsequently modify them to bypass antivirus detection. One method is to obfuscate malicious code using special packers (Obfuscated Files or Information). For example, the Dark Caracal group obfuscated Bandook's strings by encoding them to Base64 and then encrypting them.

A common way to bypass protection is to disguise malware as legitimate files or applications (Masquerading). For example, the Bahamut group used icons mimicking Microsoft Office files to disguise malware. Additionally, this group tried to hide executable files by changing the file extension to .scr, simulating Windows screensavers. The OilRig group used .doc file extensions to disguise malware as office documents. Another example is the Moses Staff group's StrifeWater malware. They named it calc.exe to make it look like a legitimate calculator program.

Over half (56%) of APT groups remove signs of their activity (Indicator Removal): clearing event logs and network connection histories, and changing timestamps. For example, APT35 deleted mailbox export requests from compromised Microsoft Exchange servers. Most attackers completely remove their arsenal of software from compromised devices after achieving their goals. This makes it much more difficult for cybersecurity professionals to conduct investigations after the incident.

To bypass defenses, attackers often proxy the execution of malicious commands using files signed with trusted digital certificates (System Binary Proxy Execution). For example, the APT35 group used the rundll32.exe file to execute the MiniDump function from the comsvcs.dll system library when dumping the LSASS process memory. Another example is the Dark Caracal group, which used a Microsoft Compiled HTML Help file containing a command to download and execute malicious files.

APT groups targeting government institutions and large enterprises in the Middle East are typically focused on long-term infrastructure control. Their objectives may include not only espionage but also sabotage or cyberwarfare. Attackers can remain unnoticed in corporate networks for an extended period and only strike at a geopolitically crucial moment.

In such cases, combating complex targeted attacks requires a special approach based on the concept of results-oriented cybersecurity. If this approach is successfully implemented, the infrastructure and processes are built in such a way that even if attackers penetrate the organization's network, they cannot inflict non-tolerable damage. In other words, the primary goal becomes eliminating the possibility of non-tolerable events—events that prevent an organization from achieving its operational or strategic goals or lead to significant disruption of its core business as a result of a cyberattack. These events are defined by the organization's top management and lay the foundation for a cybersecurity strategy.

To build effective defense against complex targeted attacks, we recommend that organizations pay attention to the fundamentals of results-oriented cybersecurity.

Asset management

One of the main components is a constant inventory of assets and their prioritization, taking into account non-tolerable events and potential cyberattack scenarios. Here, solutions like VM (Vulnerability Management) can be helpful. These systems automate asset management and the detection and remediation of vulnerabilities in infrastructure components, depending on their severity level. For companies involved in the development of software products and web applications, we recommend considering source code analysis tools to identify vulnerabilities and design flaws during the development phase.

Incident monitoring and threat response

Monitoring involves the continuous process of observing and analyzing event log results from various sources to identify violations, threats, and vulnerabilities. A SIEM (Security Information and Event Management) system can assist in this task. It allows security teams to track and analyze security events, detect attacks, and assess the compliance of protected infrastructure elements with security requirements. Industrial and energy companies are recommended to consider specialized solutions for analyzing ICS traffic. They help detect malicious activity without negatively impacting production processes. To prevent unacceptable events, prompt response is crucial. Combining a SIEM system with XDR (Extended Detection and Response) solutions can provide effective protection.

In the case of APT groups operating in the Middle East, it is evident that cybercriminals possess a whole arsenal of techniques to conceal their presence in compromised infrastructure and disguise malicious traffic as legitimate. Therefore, deep analysis of network traffic is essential for timely threat detection and response. NTA (Network Traffic Analysis) solutions can help address this challenge. These tools detect malicious activity on the perimeter and inside the network, including in encrypted traffic. All the APT groups we have examined employ their own custom-developed malicious programs. Sandboxes can also help to identify sophisticated malware.

Cybersecurity training

Employee training programs should focus on increasing awareness of the latest cyberthreats, including APT attacks. Training programs should cover topics such as creating secure passwords, safe email practices, the importance of timely software updates, rules for handling and storing confidential information, and the use of public wireless networks, among other aspects of cybersecurity. It's crucial that employees understand the basic principles of security and can easily adhere to them in their daily work. For this purpose, it can be useful to conduct periodic employee testing, for example, by simulating phishing attacks.

Security assessment

An important step towards protecting against APT attacks is regular security assessment activities, such as cyberexercises and penetration testing. To confirm the actual level of security, we recommend using approaches aligned with the concept of results-oriented security. Bug bounty programs are also worth considering. They help organizations to build a continuous service security assessment process and optimize their security spending.

Due to the active digital transformation of enterprises and the shift towards e-government in the Middle East, the relevance of APT attacks will only increase. Protecting against professional cybercriminals using standard tools has become impossible. Attackers are developing exploits for new vulnerabilities, upgrading malware, and seeking completely new ways to achieve their goals. To succeed in combating APT attacks, organizations must be ready to restructure their defense systems and adopt new approaches and solutions.

In this study, we analyzed the tactics and techniques of 16 APT groups that have been operating in the Middle East countries over the past few years. You can find brief descriptions of the groups at the end of the report. During the research, we came to the conclusion that some of the groups categorized as hacktivists by certain vendors are not actually hacktivist in nature. For instance, in one of our previously published studies, we classified the Moses Staff group as hacktivists—cybercriminals attempting to draw attention to a political issue. However, after a more in-depth analysis, we reached the conclusion that Moses Staff attacks are more sophisticated than hacktivist ones, and the group poses a greater threat than hacktivist groups typically do. So, Moses Staff can be classified as an APT group.

The term "Middle East" in this report refers to the following countries: Bahrain, Egypt, Israel, Jordan, Iraq, Iran, Yemen, Qatar, Cyprus, Kuwait, Lebanon, United Arab Emirates (UAE), Oman, Palestine, Saudi Arabia, Syria.

The tactics and techniques of these groups are described in terms of the MITRE ATT&CK Matrix for Enterprise (version 13.1). The report provides links to detailed descriptions of the mentioned techniques. Additionally, examples of the use of some subtechniques can be found in the report, with links to them in brackets using identifiers (for example, T1595.001).

The report is based on our own expertise as well as data from authoritative sources. Its purpose is to draw the attention of companies interested in the current state of information security to the most relevant tactics and techniques of APT attacks in the Middle East. The terms used in the report are explained in the glossary on the Positive Technologies website.

APT15

This group, which some researchers believe to have Chinese origins, has been operating since at least 2010. It attacks government organizations, embassies, and economic sectors in multiple countries. The group uses its own malware and publicly available tools. Researchers found connections between APT15 and a malicious actor who developed spying mobile applications involved in attacks on Uighurs.

APT33

This group targets government and private organizations related to aviation and energy. Activity has been observed since 2013. The attackers use both publicly available tools and their own ones with elements of the Farsi language, leading researchers to suggest a connection to Iran.

APT35

Researchers link this group to the Islamic Revolutionary Guard Corps (IRGC). APT35 targets both economic sectors and individuals, specializing in stealing confidential information using its own malware, as well as exploiting recently discovered vulnerabilities (N-day). The group has several subgroups, one of which is Nemesis Kitten (also known as DEV-0270 and Storm-0270).

Bahamut

A "hack-for-hire" mercenary cybercriminal group, active since 2016. The group attacks both high-ranking government officials and industrial magnates in India, the UAE, and Saudi Arabia, as well as those supporting Sikh separatism or human rights movements in the Middle East. The group possesses its own software and is involved in creating malicious apps for Android and iOS mobile devices, distributing them through Google Play and App Store.

Bitter

Many researchers believe this cybercriminal group to have Indian origins. Active since 2013. As confirmed by researchers from Anomali, Bitter attacks military and industrial targets in China and Pakistan, with activity also observed in other countries. The group uses various tools, including Android malware. Originally based on AndroRAT, they later developed their own tools, and exploit many vulnerabilities, such as CVE-2021-28310.

Dark Caracal

This group has been operating since at least 2012. According to researchers from Lookout, the group has Lebanese roots and conducts large-scale espionage campaigns worldwide. Since 2021, it has been seen in South and Central America. Typically for APT groups, Dark Caracal's targets include industrial and defense enterprises and individuals involved in activist, legal, or journalistic activities. The group uses tools that record video and capture keyboard input for subsequent transmission of information to the group's servers.

Desert Falcons

This group has been active since at least 2011. According to some researchers, including from Sekoia.io, it is linked to the Palestinian movement Hamas. Their main targets are concentrated in Israel, but attacks have also been recorded in other countries. The group has an arsenal of malware for computers and mobile devices, and regularly updates it. Among their victims are private individuals, as the group carries out attacks targeting users of iOS and Android-based mobile devices.

Hexane

This group has been attacking Middle Eastern and African countries since 2017. According to some researchers, for example from Sekoia.io, it has Iranian roots. The group's goals are politically motivated. Their tactics and techniques are similar to APT33 and OilRig (supposedly Iranian groups), but Hexane's tools and the uniqueness of its victims make it difficult to determine whether this group belongs with those ones. The attackers use their own backdoors written in C# and C++, PowerShell scripts, as well as open-source programs like Empire.

Molerats

It has been suggested that this group is Arab in origin and is politically motivated. Activity has been observed since 2012. According to researchers from Clearsky, the group is linked to the Palestinian movement Hamas. The group mainly targets enterprises in the Middle East but has also been observed attacking organizations in Europe and the United States. The group has both self-developed tools and various remote control malware, also used by other groups operating in the Middle East.

Moses Staff

According to researchers from Cybereason, this group may be linked to Iran. Its main goal is espionage.

Muddy Water

This group has been active since 2017. According to researchers, for example from Sekoia.io, the group may have Iranian roots. The primary targets are Middle Eastern countries, but the group also attacks countries in Asia, Africa, Europe, and North America. They often use open-source tools and exploit known vulnerabilities to gain access to the victim's computer for further data theft. The group also possesses an extensive arsenal of its own tools that are constantly being improved.

Mustang Panda

Crowdstrike researchers believe that this group has Chinese origins. Its activity has been recorded since at least 2014. They target countries neighboring China and conduct large-scale campaigns, all linked to the geopolitical interests of the People's Republic of China (PRC). Since 2022, they have actively attacked European countries, primarily embassies and diplomatic missions. The group uses tracking pixels in phishing campaigns. They have various tools in their arsenal, including Cobalt Strike and modified versions of PlugX, as well as self-developed malware.

OilRig

According to researchers, including from Sekoia.io, the group is supported by Iran. OilRig's main victims are predominantly organizations in the Middle East. Its activity was first recorded in 2012 during a wave of attacks in the Middle East. The group is known for its wide range of tools and the use of supply chain attacks to gather strategic information.

Stealth Falcon

According to some researchers from Citizenlab and sources from Reuters, the group is supposedly associated with the UAE. Active since at least 2012, it targets political activists, journalists, and dissidents in Arab countries. It uses self-developed malware and exploits zero-day vulnerabilities.

Volatile Cedar

This group has been active since 2012. Researchers from ClearSkySec found that the group's servers were located in Lebanon. The attacks are often politically motivated, targeting companies and individuals worldwide. The group uses publicly available tools and its own software, capable of bypassing most antivirus defenses.

Wirte

This group has been operating since 2018 at least. The group targets victims in Syria, Lebanon, Jordan, and other Middle Eastern countries. As confirmed by Proofpoint, the group is probably politically motivated and may be associated with the Molerats group. The attackers send phishing emails with documents in Arabic containing VBA macros that download additional payloads. Additionally, the group has been observed using the post-exploitation framework Empire.

Download heat map