APT Groups Emerging in Middle East

CANCUN–Since security researchers and vendors began exposing the inner workings of APT groups a few years ago, virtually all of the operations that have been made public have been the work of attackers in Europe, Asia or North America. But recently, groups in the Middle East have joined the game as well.

In 2013, Adrian Nish of BAE Systems was called in to do an investigation at an engineering company in the UK that works with that country’s power industry. He quickly discovered that attackers had been on the company’s network for some time, stealing all kinds of different data. Nish did a bit of digging and realized that Google was indexing some of the servers that the attackers were using to store their stolen data.

“They had taken network diagrams, usernames and credentials from an Israeli university and even an entire Web app that they stole from a group in the Middle East,” Nish said in a talk at the Kaspersky Lab Security Analyst Summit here Monday. “They had even stolen some signatures, physical signatures from people who had scanned them for some reason. What could possibly go wrong with that?”

The attackers appear to be part of a pro-Iranian group and they had a broad set of tools at their disposal, Nish said. Over time, he found nearly 40 distinct tools, including five pieces of custom malware, a key logger, a custom hash cracker and dozens of others. The group, which BAE dubbed Ali Baba after a code name in one of their tools, also had some interesting methods for defeating incident response on compromised networks and for getting data out of the networks.

One tool the attackers used was helpfully called Fakeddos.exe and was used to generate large amounts of fake junk traffic on compromised networks, which would, over time, overwrite the logs of legitimate traffic.

“That really makes incident response quite a pain, really,” Nish said.

To remove data from networks they were on, Nish said that the Ali Baba atatckers had been working on a method for exfiltrating data unseen through email. They disguised the outbound emails as Viagra spam messages to avoid detection.

“The group has probably been working for about two years now,” Nish said. “It’s an emerging trend in the Middle East. That’s a complicated region and the offensive side of things is becoming complicated there too. There’s offensive cyber companies and local malware authoring now.”

Along with the UK company that Nish was working with, the Ali Baba attackers also had compromised transportation companies in South Korea and Pakistan, according to a report from security company Cylance, which calls this group OpCleaver.

Suggested articles