Cyber attack group targets UAE and Lebanese government officials
Emirati government officials may have been compromised by a cyber-attack that would leave staff vulnerable to blackmail, analysts have said.
Researchers at the respected Cisco Talos Intelligence Group said that UAE police forces and the country’s Telecommunication Regulatory Authority, which has a role in protecting against cyber-attacks, were among the targets.
Also attacked by the mysterious group, which has not been identified, in the infiltration attempt were Lebanon’s finance ministry and Middle East Airlines, the Lebanese carrier, the experts said.
They believe that the attacker spent time studying their targets before launching their attack. The scheme could have allowed them to access confidential information and gain access to emails.
Cisco outlined details of the attempts in a briefing note by analysts this week.
The TRA has previously described attempts by hacking groups to infiltrate government and private sector companies, including 34 hacks on websites in January 2018.
One of their attacks worked by trying to trick people into downloading Word documents infected with spying software on a fake jobs website, which was disguised as a page of a legitimate company. Web activity suggests the campaign targeted the UAE.
The other attempted to redirect web users from legitimate government web addresses to fake sites, potentially leaving members of the public to upload sensitive personal information to hackers rather than the authorities.
The identification of the attack comes after DarkMatter, the UAE-based cyber security firm, released a report in which it said it had found several “common, preventable cyber security weaknesses” across the country.
Outdated software, weak passwords and a lack of awareness were making some entities a soft target for cyber criminals, it warned.
The latest attack showed the need for public bodies and businesses to upgrade their security infrastructure, according to Hoda Al Khzaimi, the director of the Centre of Cyber Security at New York University Abu Dhabi.
“The attack relies of having a weak infrastructure when it comes to web security and people to click on postings to download malicious documents,” she said. “This is textbook, which means we have to upgrade our infrastructure and the way we build security.”
Warren Mercer and Paul Rascagneres, the authors of the blog exposing the attack, said they were unable to link the criminals to any previous activities through analysis of their tactics or IP addresses.
“Cisco Talos recently discovered a new campaign targeting Lebanon and the United Arab Emirates affecting .gov domains, as well as a private Lebanese airline company,” they wrote.
“Based on our research, it’s clear that this adversary spent time understanding the victims’ network infrastructure in order to remain under the radar and act as inconspicuous as possible during their attacks.”
In an attack associated with the scheme, users are directed to fake job websites and invited to download apparently innocent word documents which in fact contained a malicious software that included a ‘remote administration tool’. This could be used to send information from an infected computer back to the attacker. This affected users in October, before spreading in November.
A separate ‘DNS redirection attack’ was launched between September and November, leading to multiple public sector servers in the UAE being compromised with users unwittingly directed to “attacker-controlled IP addresses,” it is claimed. The analysts said several servers belonging to the public sector in Lebanon and the UAE “were apparently compromised”.
“We don’t know if the redirection attack was ultimately successful, or what exact purpose the DNS redirection served,” the authors wrote. “However, the impact could be significant, as the attackers were able to intercept all traffic destined for these host-names during this time.
“Because the attackers targeted email and VPN traffic specifically, they may have been used to harvest additional information, such as email and/or VPN credentials. As incoming email would also be arriving at the attackers’ IP addresses, if there was multi-factor authentication, it would allow the attackers to obtain MFA [security] codes to abuse.
“Since the attackers were able to access email, they could carry out additional attacks or even blackmail the target.”
The UAE has tried to beef up cyber security policies over recent years, while private sector companies have also come under attack.
Careem, the Dubai-based ride-hailing app, revealed earlier this year that the personal information of up to 14 million users, across the Middle East, North Africa, Pakistan and Turkey had been stolen by criminals. There was no evidence that credit card numbers were accessed.
The UAE government, meanwhile, rolled out an upgrade to cyber security across federal bodies last year.