Iran-linked hackers increasingly spy on governments in Gulf region, researchers say

An Iran-linked cyberespionage group has stepped up its attacks in recent months against government agencies in the United Arab Emirates (UAE) and the broader Gulf region, according to a new report.

APT34, also known as Earth Simnavaz and OilRig, is believed to be an Iranian state-sponsored threat actor primarily targeting organizations in the Middle East, especially those in the oil and gas industries.

The hackers’ recent escalation in activity underscores their “ongoing commitment” to exploiting vulnerabilities within critical infrastructure and government networks in geopolitically sensitive areas, said researchers at the cybersecurity firm Trend Micro in a report released last week.

In their latest attacks, APT34 deployed a sophisticated new backdoor named Stealthook to exfiltrate sensitive credentials, including accounts and passwords, through on-premise Microsoft Exchange servers to those controlled by the attackers as email attachments.

The group is known for using compromised organizations to conduct supply chain attacks on other government entities, the researchers said. “We expect that the threat actor could use the stolen accounts to initiate new attacks through phishing against additional targets,” they added.

The group has also recently exploited the Windows CVE-2024-30088 flaw to escalate their privileges in targeted systems. This demonstrates APT34’s “continuous adaptation” by exploiting newer vulnerabilities to make their attacks stealthier and more effective, Trend Micro said.

The researchers warned that government organizations in the Middle East and Gulf region should take the threats from this group “seriously” and improve their defensive measures, because it uses tools to blend malicious activity with normal network traffic and avoid traditional detection methods.