Cyber-spy group based in Iran targeting Bahrain

Manama : The Kingdom is one of the countries being targeted by an Iran-based cyber-spy group, it emerged. The cyber terror group Leafminer has released a threat actor to target many countries in the region and Bahrain is one of them, according to US cyber-security firm Symantec. The sectors that the cyber-terror group is targeting include telecommunication, energy, financial services, transportation, and government. According to the firm, the cyber-spies have been working on campaigns in the Middle East since 2017 and the most targeted sectors by Leafminer are financial, government and energy sectors. 

However, the firm does not specify how much Bahrain has been affected by the threat. Use of compromised web servers such as watering holes, dictionary attacks, remote exploits, brute force logins are some of the infiltration techniques employed by the group. Both custom built malware and publically available tools have been used in the campaign. Targeted data include credentials, emails and files and database. One of the servers of Leafminer uncovered by Symantec revealed 112 files that included malware, tools, and logs files. It was further exposed that Leafminer had links to other Iran based groups. 

“Symantec has uncovered the operations of a threat actor named Leafminer that is targeting a broad list of government organisations and business verticals in various regions in the Middle East since at least early 2017,” the report said. “The group tends to adapt publicly available techniques and tools for their attacks and experiments with published proof-of-concept exploits. “Leafminer attempts to infiltrate target networks through various means of intrusion: watering hole websites, vulnerability scans of network services on the Internet, and brute-force/dictionary login attempts. “The actor’s post-compromise toolkit suggests that the group is looking for email data, files, and database servers on compromised target systems. 

“One interesting source of target information discovered during the Leafminer investigation was a list of 809 targets used by the attackers for vulnerability scans.  “The list is written in the Iranian language Farsi and groups each entry with organisation of interest by geography and industry. “Targeted regions included in the list are Saudi Arabia, United Arab Emirates, Qatar, Kuwait, Bahrain, Egypt, Israel, and Afghanistan,” the report said. Giving tips on how to be protected from the threat, Symantec stated, “Important passwords, such as those with high privileges, should be at least 8-10 characters long (and preferably longer) and include a mixture of letters and numbers. 

“Encourage users to avoid reusing the same passwords on multiple websites and sharing passwords with others should be forbidden. “Employ two-factor authentication to provide an additional layer of security, preventing any stolen credentials from being used by attackers. “Educate employees on the dangers posed by spear-phishing emails, including exercising caution around emails from unfamiliar sources and opening attachments that haven’t been solicited.”