Cybercrime gang targeting MENA government organisations
Gang attempts to compromise government systems by sending malware to IT and IR staff
Kaspersky Lab has warned of an increase in activity by an Arabic-speaking cybercriminal group which targets government organisations in the MENA region.
The ‘Gaza cybergang' has been active since 2012, but has been particularly active in the second and third quarters of this year.
The attackers focus on government entities, especially embassies, primarily targeting IT and incident response staff by sending them malware files. The group has attacked government entities in countries including Egypt, the United Arab Emirates and Yemen.
The Gaza cybergang actively sends malware files to information technology (IT) and incident response (IR) staff. Kaspersky Lab experts suspect that the reason behind targeting IT personnel has to do with the fact that they are known to have more access and permissions inside their organisations than other employees, mainly because they need to manage and operate the infrastructure.. Similarly, IR staff may be targeted for having access to sensitive data related to ongoing cyber investigations in their organisations, as well as special access and permissions enabling them to hunt for malicious or suspicious activities on the network.
Despite the fact they are targeting high-level entities such as government bodies, the Gaza team uses well-known remote administration tools (RAT) - XtremeRAT and PoisonIvy - spreading infections via phishing scams. Using simple infection tools, they successfully hit their targets with crafted social engineering tricks, using special file names, content and domain names (e.g. gov.uae.k*m) that help the group in their hunt for targets.
The gang uses .exe files to deliver the malware, with provocative file names in Arabic such as ‘Indications of disagreement between Saudi Arabia and UAE.exe’ and ‘Wikileaks documents on Sheikh.exe’.
"According to the list of targets, which includes government entities in the Middle East and North Africa region, we're witnessing politically motivated cyberattacks. By gaining control of computers with greater access to the system, the cybercriminals increase their chances of stealing valuable information and are much more likely to cause significant damage. As attribution is the most complicated - often impossible - task when analyzing a malicious cyber-campaign, we don't as yet know who is behind it," said Mohammad Amin Hasbini, senior security researcher, Global Research & Analysis Team, Kaspersky Lab.