Home / / Symantec uncovers hacking group targeting ME government

Symantec uncovers hacking group targeting ME government

Leafminer group has targeted government, finance, petrochem organisations across the region

Symantec uncovers hacking group targeting ME government
Symantec says it has uncovered an Iran-based hacking group targeting government organisations across the Middle East.

Symantec has uncovered an active hacking group which is targeting organisations in the Middle East.

The group, dubbed ‘Leafminer' has been targeting government, finance, energy and other organisations since at least early 2017, the security company has warned, and appears to be based in Iran.

Leafminer tends to adapt publicly available techniques and tools for their attacks and experiments with published proof-of-concept exploits. Leafminer attempts to infiltrate target networks through various means of intrusion: watering hole websites, vulnerability scans of network services on the internet, and brute-force/dictionary login attempts. The actor's post-compromise toolkit suggests that the group is looking for email data, files, and database servers on compromised target systems.

Symantec said it has detected attacks mainly against government and finance organisations, but has also targeted petrochemicals, shipping and other sectors. Attacks have been seen against targets in Saudi Arabia, United Arab Emirates, Qatar, Kuwait, Bahrain, Egypt, and Afghanistan.

The security company said it was able to identify Leafminer after discovering the same compromised web server had been used in several different attacks.

Symantec characterized the group as highly active, but apparently inexperienced. The group has used a mix of publicly available tools and its own malware, and has copied some attack methods, as well as been quick to try to utilize new weaknesses, such as the Heartbleed bug, in its MO.

"The group appears to be based in Iran and seems to be eager to learn from and capitalize on tools and techniques used by more advanced threat actors," the company said. "However, Leafminer's eagerness to learn from others suggests some inexperience on the part of the attackers, a conclusion that's supported by the group's poor operational security. It made a major blunder in leaving a staging server publicly accessible, exposing the group's entire arsenal of tools. That one misstep provided us with a valuable trove of intelligence to help us better defend our customers against further Leafminer attacks."

Follow us to get the most comprehensive IT Security news delivered fresh from our social media accounts on Facebook, Twitter, Youtube, and listen to our Weekly Podcast. Click here to sign up for our weekly newsletter on curated technology news in the Middle East and Worldwide.

REGISTER NOW | Webinar Event | Security you can bank on – Safeguarding the Middle East’s financial sector

Presented in partnership with security and network specialist Cybereason, the second in the three part webinar series will bring together a panel of experts to discuss how banks and financial institutions are evolving their service offering while simultaneously staying one step ahead of the cyber criminals who seek to bring their operations crashing to the ground.