Cybersecurity experts from Symantec have discovered a new “highly active” espionage group that appears to be based in Iran.
— Cyware (@CywareCo) July 25, 2018
The firm’s investigation revealed that the group, which researchers are calling “Leafminer,” has been targeting government organizations and firms in the Middle East.
The espionage group has been attempting to commit cyberattacks on organizations in Saudi Arabia, the United Arab Emirates, Qatar, Kuwait, Bahrain, Egypt, Israel and Afghanistan.
Symantec obtained a list of more than 800 organizations that are based in those countries that the group either already has or plans on targeting.
Analysts believe that Leafminer is based out of Iran because all of those organizations are located outside of the country, and the list was written in Farsi.
“All the target organizations, they have some kind of political discourse ongoing with Iran, and Iran is actually missing from the list themselves. From an analytics perspective, that just adds to the fact that they’re likely to be from Iran,” said Vikram Thakur, technical director at Symantec.
Analysts noticed that the group has been active since 2017, but dramatically “ramped up” its activity at the end of the year and into the start of 2018. In addition, Thakur said that the group is “continuing to conduct attacks as of right now.”
Symantec has yet to find any evidence that the group is operating on behalf of the Iranian government, but Thakur mentioned that it is “possible.”
During the investigation, the analysts witnessed Leafminer executing attacks on more than 40 organizations, with many of the attacks being instantly blocked.
Some of the attacks were successful, though, and the hackers were able to gain access into the victims’ networks. The group managed to compromise a Lebanese intelligence agency website and infect it with malware that could infiltrate the local systems of vulnerable visitors.
It’s currently unknown what information the hackers are seeking to obtain. Many groups will sell the stolen sensitive information that they acquire to fraudsters and terrorists.
Leafminer has been utilizing both publicly available hacking tools and custom malware-based software to conduct the attacks. The group has also been using the “EternalBlue” exploit, which was recently leaked by the Shadow Brokers group.
Thakur said that the hackers are using a sophisticated system to conduct the attacks, and that there’s no sign that they will be stopping soon.
“Some of those Middle Eastern organizations might have branches or subsidiaries in Western countries, and hackers might get opportunistic. I do believe that their targeting is going to be, if it’s not already, beyond the countries listed,” he said.