By Micah McCartney
Smartencyclopedia Cybersecurity Correspondent
In a new cyber espionage campaign, Iranian state-sponsored hackers have targeted Iraqi government organizations and entities, according to a recent report by Israel-based cybersecurity firm Check Point. The attacks have been attributed to the advanced persistent threat (APT) group APT34, also known as OilRig, which has a history of targeting the Middle East region.
Over the past few months, Check Point researchers discovered two new strains of malware, Veaty and Spearal, used by the hackers to infiltrate Iraqi networks. These malware tools bear similarities to previously identified malware linked to APT34, including Karkoff and Saitama, confirming the group’s involvement.
Sophisticated Malware Threat
According to the report, Veaty and Spearal deploy sophisticated command and control (C2) mechanisms. Veaty utilizes a custom email-based C2 channel, infiltrating networks by using compromised email accounts within targeted organizations. Spearal, on the other hand, employs a custom DNS tunneling protocol, masking data transfers as normal internet traffic.
Check Point researchers noted that these malware strains are challenging to detect and represent a troubling evolution in state-linked cyber threats. “The distinctive C2 mechanisms, combined with malicious file execution, demonstrate a new level of sophistication from Iranian threat actors,” said Sergey Shykevich, a researcher at Check Point.
Social Engineering Tactics
The initial infection of the Iraqi government networks is believed to have occurred through social engineering, in which hackers tricked victims into opening malicious files disguised as legitimate document attachments. These files, such as “IraqiDoc.docx.rar” or “Avamer.pdf.exe,” triggered scripts that allowed the malware to infiltrate systems, manipulate file access times, and establish persistence on the infected machines.
Iranian Espionage Operations in the Middle East
APT34, believed to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS), has a history of targeting entities across the Middle East. Previous attacks have focused on countries such as Saudi Arabia, the United Arab Emirates, Jordan, Lebanon, and Turkey. In addition, APT34 has reportedly engaged in cyberattacks against Israel amid the ongoing conflict between Israel and Hamas, a group backed by Iran.
The hacking group’s activities align with Iranian geopolitical interests, targeting critical infrastructure and governmental networks in the region. In a similar operation last year, APT34 reportedly infiltrated the systems of a Middle Eastern government for eight months, stealing sensitive files and emails.
Cybersecurity Concerns Across the Region
The Check Point report underscores the ongoing cyber threat posed by Iranian intelligence-backed groups in the Middle East, particularly those targeting Iraq. This campaign highlights the increasing reliance on sophisticated malware and cyber tactics by state-sponsored hackers to gather intelligence and destabilize regional governments.
As cyberattacks continue to grow in scale and sophistication, Middle Eastern governments and organizations are urged to bolster their cybersecurity defenses and remain vigilant against the persistent threat posed by state-sponsored actors.
Stay tuned to Cybersecurity News for more updates on the latest cyber threats and intelligence.