An unknown hacker group has been targeting Middle Eastern countries as well as others such as India, Pakistan, US and Georgia as part of what appears to be a massive cyber-espionage campaign. On Monday (20 November), the Saudi Arabian government's national cyber security center reportedly confirmed that the kingdom had been targeted by hackers since February.
The hacker group, dubbed MuddyWater, used fake documents, purporting to be from the NSA, Russian cybersecurity firm Kasperksy and the Iraqi government, among others, to trick victims into clicking on malicious documents. Security experts at Palo Alto Networks, who uncovered the campaign, said that the hackers are making use of a PowerShell-based first-stage backdoor called "POWERSTATS".
"The malicious documents were adjusted according to the target regions, often using the logos of branches of local government, prompting the users to bypass security controls and enable macros," Palo Alto Networks' Unit 42 security researchers said in a report.
The researchers said that the MuddyWater hacker group has been active throughout the year and apart from Saudi Arabia, has also targeted the UAE, Iraq, Israel and Turkey. The researchers noted that in some cases they found that the hackers had managed to have gained control of compromised accounts at third-party organisations. The hackers then used these compromised accounts to steal a legitimate document and create a malicious mimic to send it to a target.
"This targeting of third-party organizations to attack further targets is a risky move on the attackers' part, as it potentially reveals their activity within the compromised third-party organizations to the new target (those receiving the malicious documents)," the researchers added.
Unit 42 researchers were not the only experts to observe the campaign. Other researchers who also analysed the campaign suspected that the proliferate hacker group FIN7, also known as the Carbanak gang, may be behind the attacks. However, Unit 42 researchers were able to rule out the FIN7 hacker group.
"Whilst we could conclude with confidence that the attacks discussed in this article are not FIN7 related, we were not able to answer many of our questions about the MuddyWater attacks. We are currently unable to make a firm conclusion about the origin of the attackers, or the specific types of information they seek out once on a network," Unit 42 researchers said, adding that they would "continue to track their activities".
The Arab News reported that the Saudi security agency said the hackers sought to steal data from targets' computers. It is still unclear as to what organisations were targeted and what kind of data the hackers attempted to steal. It also remains uncertain whether the hackers were successful in stealing any data.
This is not the first time that hackers have targeted Middle Eastern nations. In 2016 and again this year, hackers operating the powerful Shamoon disk-wiping malware hit various government and private organisations in Saudi Arabia.