Kaspersky Lab Warning: Government IT and Incident Response Staff Targeted by Cyberattacks in Middle East & North Africa

Kaspersky Lab warns about the activity of an Arabic-speaking cybercriminal group called by the experts ‘The Gaza cybergang’. It is operating in the MENA region (Middle East and North Africa), mainly in Egypt, the United Arab Emirates and Yemen. The group has been operating since 2012 and became particularly active in the second and third quarter of 2015. The attackers focus on government entities, especially embassies, and primarily target IT and incident response staff.

The Gaza cybergang actively sends malware files to information technology (IT) and incident response (IR) staff. IT personnel are known to have more access and permissions inside their organisations than other employees, mainly because they need to manage and operate the infrastructure. That is why getting access to their devices can be worth a lot more to the cybercriminals than those of normal users in the corporate network. IR people are also known for having access to sensitive data related to ongoing cyber investigations in their organisations, as well as special access and permissions enabling them to hunt for malicious or suspicious activities on the network.

Despite the fact they are targeting high-level entities such as government bodies; the Gaza team uses well-known remote administration tools (RAT) – XtremeRAT and PoisonIvy – spreading infections via phishing scams. Using simple infection tools, they successfully hit their targets with crafted social engineering tricks, using special file names, content and domain names (e.g. gov.uae.k*m) that help the group in their hunt for targets. Examples of file names that have delivered malware to a victims’ machine, include:

• “Indications of disagreement between Saudi Arabia and UAE.exe”,
• “Wikileaks documents on Sheikh.exe”,
• “Scandalous pictures of Egyptian militants, judges and consultants”,
• “President Mahmoud Abbas cursing Majed Faraj.exe”,
• “Leaked conversation with the Egyptian leader of military forces Sodqi Sobhi.exe”,
• “Secret_Report.exe”,
• “Military Police less military sexual offenses, drug offenses more.exe”

“According to the list of targets, which includes government entities in the Middle East and North Africa region, we’re witnessing politically motivated cyberattacks. By gaining control of computers with greater access to the system, the cybercriminals increase their chances of stealing valuable information and are much more likely to cause significant damage. As attribution is the most complicated – often impossible – task when analyzing a malicious cyber-campaign, we don’t as yet know who is behind it,” says Mohammad Amin Hasbini, Senior Security Researcher, Global Research & Analysis Team, Kaspersky Lab.

In order to reduce the risk of being infected by the group’s malicious tools, Kaspersky Lab experts recommend the following measures:

• Be wary of emails with attachments;
• Keep software updated, especially software that is widely used and often exploited by cybercriminals;
• If you are aware of any vulnerabilities in the software on your device but there is no patch for it yet, avoid using this software;
• Use a proven anti-malware solution.

To find out more, please read the related blog post available at Securelist.com.