Iran-backed hackers dwelled for 8 months in Mideast government’s system, report says

Hackers connected to Iran’s government spent eight months inside the systems of an unspecified Middle East government, stealing files and emails, according to researchers.

Cybersecurity firm Symantec attributed the campaign to a group it calls Crambus but others refer to as APT34, OilRig or MuddyWater.

The intrusion lasted from February to September, and while the researchers declined to name the country targeted, Crambus previously had been tracked Saudi Arabia, Israel, the United Arab Emirates, Iraq, Jordan, Lebanon, Kuwait, Qatar, Albania, the U.S. and Turkey.

Dick O’Brien, principal intelligence analyst on the Symantec Threat Hunter Team, told Recorded Future News that there were several new tools involved in the intrusion, including three new pieces of malware.

“The length of the intrusion is near the upper end of the scale,” he added, noting that the tactics resembled those seen in other attacks.

The research comes as Iran’s influence in the Middle East is under intense scrutiny due to the Israel-Hamas conflict.

In addition to stealing information, the hackers installed tools that allowed them to monitor emails. In total, the intruders compromised 12 computers, but Symantec found evidence of backdoors and keyloggers installed on dozens more devices.

Crambus is known to “stage long-running intrusions for intelligence gathering and spying purposes,” the researchers said.

“In recent years it has added a heavy social engineering component to the early stages of its attacks. It most recently came to attention last year, when Microsoft linked the group to a destructive attack against the Albanian government,” they said. “It assessed that Crambus was involved in gaining initial access and exfiltrating data from impacted networks. Wipers were likely then deployed by other Iran-linked actors.”

The first evidence of an attack appeared on February 1, when the hackers began to take a range of actions on one device. They quickly moved to a second computer after four days and by April, made their way into a third.

A fourth computer was compromised on May 7 and the hackers continued to use new malware to capture keystrokes and steal contents from the operating system’s clipboard.

By August, the hackers had used a tool to scan for vulnerabilities, including the Log4j bug, on other machines on the network. The malicious activity continued until September 9.

“After a 2019 leak of its toolset, there was some speculation that Crambus may disappear. However, its activities over the past two years demonstrate that it represents a continuing threat for organizations in the Middle East and further afield.”

In the last year, cybersecurity firms have identified several campaigns against the governments of Saudi Arabia, Jordan, Israel and more. An Iranian cloud provider was accused of providing infrastructure services to APT34 in August.