The group, dubbed “Leafminer,” has attacked networks in Saudi Arabia, the UAE, Qatar, Kuwait, Bahrain, Egypt, Israel and Afghanistan, according to a report issued by US cyber security firm Symantec.

Hacker
Hacker. (photo credit: INGIMAGE / ASAP)

 

Manama, Bahrain (Tribune News Service) – A group of “highly active” hackers based in Iran have been found to be trying to steal vital information from governments in the Middle East.

The group, dubbed “Leafminer,” has attacked networks in Saudi Arabia, the UAE, Qatar, Kuwait, Bahrain, Egypt, Israel and Afghanistan, according to a report issued by US cyber security firm Symantec.

However, an Information and eGovernment Authority (iGA) spokesman told the GDN yesterday “no indication was found up until now that Leafminer targeted the portal or any systems managed by IGA.”

The cyber espionage group’s targets includes the “energy, telecommunications, financial services, transportation and government” sectors.

Means of intrusion used to infiltrate target networks consisted of infecting malware on websites often visited by the users, also known as watering hole style attacks, and using brute-force login attempts, which features trying numerous passwords with the hope of eventually breaching the network.

“Symantec has uncovered the operations of a threat actor named Leafminer that is targeting a broad list of government organizations and business verticals in various regions in the Middle East,” stated a threat intelligence report by Symantec.

Operations reportedly began in early 2017 but has increased since the end of last year.

“Leafminer is a highly active group, responsible for targeting a range of organizations across the Middle East.

“The group appears to be based in Iran and seems to be eager to learn from, and capitalize on, tools and techniques used by more advanced threat actors.”

The report also said an investigation into Leafminer revealed a list, written in Farsi, of 809 systems targeted by the hackers.

“Targeted regions included in the list are Saudi Arabia, the UAE, Qatar, Kuwait, Bahrain, Egypt, Israel, and Afghanistan.”

The report said the attackers were looking for e-mail data, files and database servers on their target systems in financial, government, energy, airlines, construction, telecommunication and other sectors in the region.

Symantec said it was able to identify Leafminer after discovering a compromised web server that was used in several different attacks.

“It [the cyber espionage group] made a major blunder in leaving a staging server publicly accessible, exposing the group’s entire arsenal of tools.

“That one misstep provided us with a valuable trove of intelligence to help us better defend our customers against further Leafminer attacks.”

IGA said, in a statement to the GDN yesterday, that part of its job was to monitor any report issued by security vendors such as Symantec regarding any threat actors targeting the region.

“The team then conducts further investigation to look for any sign of indication related to the threat actors,” it said.

“If an indication is detected, the case is reported to IGA’s cybersecurity incident management team to take the needful action to approach the incident.

“With regards to the Leafminer cyber espionage group, no indication was found up till now that Leafminer targeted the portal or any systems managed by IGA.”

IGA officials previously said that around 27,000 attacks on government systems were managed last year, with majority of them originating from countries in the east, namely Iran.

Meanwhile, a spokesman from Bahrain-based security firm CTM360 said it was aware of Leafminer and urged companies and individuals to install anti-virus software as well as use complex passwords.

“Leafminer targeted government organizations and businesses in the Middle East by using the existing available threats out there,” said the spokesman.

“The group studied reports published by different security firms about malwares or threats, and fix the loopholes mentioned in those papers for an advanced malware attack.”

As reported by The Jerusalem Post