Analysts uncover new ‘highly active’ espionage group believed to be from Iran


A U.S.-based cybersecurity firm has uncovered a new “highly active” espionage group believed to be based in Iran that is breaking into networks of government organizations and other firms located in the Middle East.

Symantec released information early Wednesday on the hacking collective, which researchers have dubbed “Leafminer.” The group is allegedly targeting organizations in Saudi Arabia, the United Arab Emirates, Qatar, Kuwait, Bahrain, Eqypt, Israel and Afghanistan.

Leafminer’s targets reportedly cut across several sectors, including energy, telecommunications, financial services, transportation and government.

Vikram Thakur, technical director at Symantec, told The Hill that the group has been active since early 2017 but “ramped up” its activity between the end of last year and the start of 2018. Thakur said the organization is “continuing to conduct attacks as of right now.”

{mosads}Through its research, Symantec obtained a target list of roughly 800 organizations catalogued based on their country of origin that analysts believe serves as a blueprint for the espionage group. The list was written in Farsi, leading analysts to conclude that the hackers are based in Iran.

“All the target organizations, they have some kind of political discourse ongoing with Iran, and Iran is actually missing from the list themselves,” Thakur said. “From an analytics perspective, that just adds to the fact that they’re likely to be from Iran.”

While Symantec does not have evidence linking the group to the Iranian government, Thakur said it is “possible” the group is operating on behalf of a nation-state.

Symantec observed the group firsthand executing attacks on about 40 different organizations; in some cases, the hackers were blocked outright, and in others gained some sort of foothold in victims’ networks.

The hacking group uses a mix of publicly available hacking tools and custom malware to execute its attacks, including the infamous “EternalBlue” exploit leaked by the group Shadow Brokers last year, which is widely believed to have been developed by the National Security Agency.

The group uses a variety of tactics to infiltrate its targets, such as watering hole attacks — a strategy in which a hacker infects a website that would-be victims typically visit in order to ultimately infiltrate their targets’ systems. Analysts observed hackers compromising a Lebanese intelligence agency website in one such instance.

The hacking group has also scanned the internet to uncover vulnerabilities on networks that can be then exploited, and also executed brute-force login attempts.  

The group is primarily interested in hacking into victims’ emails to harvest communications and other data, likely for espionage purposes, analysts say.

Broadly, security professionals have observed Iranian hackers expanding their operations and growing more sophisticated in their attack methods. This has included Iran-based hacking groups stepping up operations on international organizations, including those located in the Middle East and the United States.

While Thakur does not believe Leafminer to be particularly sophisticated in terms of its technical capabilities, he suspects the group could expand its operations to other countries given its broad list of targets, which includes multinational organizations.

 “Some of those Middle Eastern organizations might have branches or subsidiaries in Western countries and hackers might get opportunistic,” Thakur said.

“I do believe that their targeting is going to be, if it’s not already, beyond” the countries listed, he said.

Tags Cyberattack Hacker Iran National Security Agency Symantec

Most Popular

Load more


See all Video