Iran-linked hackers target Iraqi government in new campaign
A suspected Iranian state-sponsored threat actor has targeted Iraqi government organizations and other entities in the country as part of a new espionage campaign, researchers have found.
The attacks have been linked to the Iranian advanced persistent threat group APT34, also tracked as OilRig. Previous reports indicated that the group primarily targets organizations in the Middle East.
Over the past few months, the group deployed a new set of malware called Veaty and Spearal against targets in Iraq, according to a report published Wednesday by Israel-based cybersecurity firm Check Point. These tools overlap with the Karkoff and Saitama malware strains, which are also associated with APT34.
The newly discovered malware “is especially sophisticated and challenging to detect, revealing a troubling pattern of persistent state-linked cyber threats,” Check Point researcher Sergey Shykevich told Recorded Future News.
Veaty and Spearal use “distinctive” command and control (C2) mechanisms, including a tailor-made email-based C2 channel, which further suggests connections to APT34, researchers said.
The email-based C2 channel observed in the Veaty malware uses compromised email accounts within the targeted organization, indicating that the threat actor successfully infiltrated the victim’s networks, according to the report.
The Spearal malware, in turn, uses a custom DNS tunneling protocol for C2 communication, sending and receiving data over the internet while disguising it as normal DNS (Domain Name System) traffic.
The initial infection of Iraqi targets likely stemmed from “some type of social engineering,” in which the hackers persuaded their victims to open malicious files disguised as document attachments.
“This campaign against Iraqi government infrastructure highlights the sustained and focused efforts of Iranian threat actors operating in the region,” researchers noted.
In previous campaigns, APT34 targeted Saudi Arabia, the United Arab Emirates, Iraq, Jordan, Lebanon, Kuwait, Qatar, Albania, the U.S. and Turkey.
Check Point believes that APT34 is affiliated with Iran's Ministry of Intelligence and Security (MOIS). The location of the group's victims aligns with Iranian interests and matches the typical victim profile that MOIS-affiliated clusters usually target in espionage operations.
Most recently, APT34 reportedly hacked several victims in Israel amid its ongoing conflict with the Palestinian militant group Hamas, which is supported by Iran.
Last October, researchers discovered that the hackers had spent eight months inside the systems of an unspecified Middle Eastern government, stealing files and emails.
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.