State-backed cyber threat actors from the likes of Belarus, China and Pakistan are all ramping up their activity in the wake of the joint Israeli-US attack on Iran, even though their government paymasters are not directly involved in the war.
This is according to intelligence published by Proofpoint, which claims to have observed several such campaigns unfolding in the wild. It believes this wave of malicious activity reflects a mixture of threat actors opportunistically using the conflict to create lures in their routine options, and intelligence collection directly related to Middle Eastern governments and their allies.
“These campaigns were conducted by both known groups and previously unobserved actors, with suspected attribution to China, Belarus, Pakistan and Hamas,” wrote Proofpoint’s research team.
“The campaigns heavily relied on aspects of the conflict as topical lure content to engage the targets and often used compromised accounts belonging to government organisations to send phishing emails,” they said.
In one such campaign, Belarussian threat actor TA473, or Winter Vivern, impersonated a European Council president spokesperson relaying a statement on the European Union’s (EU’s) position on human rights, regional security and Iran’s alleged weapons of mass destruction.
It was sent to government organisations in both Europe and the Middle East – the first time Winter Vivern has been seen targeting the Middle East – and contained an HTML file which, if opened, displayed a decoy image while conducting an HTTP request in the background. However, said Proofpoint, for now at least, this request is likely intended for target tracking purposes only, as it neither observed nor retrieved any next-stage payloads.
At the same time, the China-linked UNK_InnerAmbush actor ran a phishing exercise targeting diplomats and government officials in the region. Using a compromised email address, it used the death of Ayatollah Khamenei as a lure, purporting to share “secret on-site images” obtained via the US Department of Foreign Affairs – which should be a dead giveaway to anybody with knowledge of American politics, as US foreign affairs are handled by the State Department.
Images of strikes
Days later, UNK_InnerAmbush pivoted to images of Israel’s strikes on Iran’s fossil fuel infrastructure, which have induced a major ecological disaster – but in all instances, the images were actually disguised Microsoft Shortcut (LNK) files, hosted in a password-protected ZIP or RAR archive on Google Drive. If opened, they ran executables that decrypted Cobalt Strike command and control (C2) payloads and loaded them into memory.
Meanwhile, despite their government’s non-involvement, Pakistan-aligned threat actor UNK_RobotDreams has been targeting the offices of Middle Eastern government organisations in neighbouring India, impersonating India’s Ministry of External Affairs – which is at least the correct terminology – with phishing emails purporting to advise on the security impacts of the war.
These emails contained a blurred decoy PDF attachment and a fake Adobe Reader button which, if opened, redirected to a threat actor-controlled URL that used geofencing to serve a tainted executable to its intended targets. The executable functioned as a .NET loader that retrieved a Rust backdoor from the threat actor’s C2 host via PowerShell.
“While several of these groups incorporated the war-themed lure content in operations that are largely consistent with typical targeting remits, others demonstrated a shift toward intelligence collection against Middle Eastern government and diplomatic entities,” wrote Proofpoint’s research team.
“This likely reflects an effort to gather regional intelligence on the standing, trajectory and broader geopolitical implications of the conflict. This suggests the conflict is being used both as a topical social engineering pretext and a driver of collection priorities for a range of state-aligned threat actors.”
Iran’s state APTs stirring
In contrast to the opening days of the war, during which they appeared to be lying low, leaving the virtual battlefield largely to hacktivists, Iran’s own network of state-linked threat actors is now beginning to make itself known.
Proofpoint said it had now observed TA453, or Charming Kitten, conducting phishing exercises against a US-based think tank, with its lures themed around a roundtable on air defence capabilities – although strictly speaking, this activity began before the outbreak of war.
Other Iranian threat actors, notably the Ministry of Intelligence and Security (MoIS)-linked Seedworm (aka MuddyWater, Static Kitten), have been targeting US airports, banks, non-profits and tech companies, according to intelligence from Cisco Talos.
While, as with Charming Kitten, much of this activity began in February, Cisco Talos noted the use of a previously unknown custom backdoor, dubbed Dindoor, which uses Deno – an open source JavaScript runtime – to execute.
Dindoor was first highlighted by Symantec and Carbon Black last week, and was linked to Seedworm by the use of certificates issued to aliases linked to other Seedworm malwares.
Brigid O’Gorman, senior intelligence analyst at the Symantec and Carbon Black Threat Hunter team, told our sister title, Cybersecurity Dive, that while this particular Seedworm campaign began before the current conflict, it puts the gang in a “potentially dangerous” position to be able to launch further attacks.
