Kaspersky finds a new APT campaign targeting engineers in the Middle East

Written by

A mysterious set of hackers last year began a targeted campaign to breach industrial organizations in the Middle East, antivirus firm Kaspersky said Tuesday.

Attackers have sought to breach engineers, particularly in a single, unnamed Middle Eastern country, adding to a long history of cyber operations in the region. They’re relying on a strain of malicious software that’s tailored for espionage, and does not appear to match any code the researchers have seen before. Exactly who is behind the effort remains unclear.

The sensitivity of the targets, and the fact that the activity is ongoing, prompted the researchers to go public with their findings. The Moscow-based company labeled the activity an “advanced persistent threat” (APT), a loose term for well-resourced hackers often linked to government interests. Kaspersky designated the hacking campaign “WildPressure.”

“Anytime the industrial sector is being targeted, it’s concerning,” said Kaspersky senior security researcher Denis Legezo. There is no indication that hackers have done anything beyond gather information from the compromised networks, he added.

“We made this conclusion [ that it is an APT because] the malware is rare, targets a very specific region, and is suitable for espionage,” Legezo told CyberScoop, “So far we have no data regarding sponsorship.”

Broadly speaking, the “industrial sector” could mean organizations in energy or others domains critical to a society or economy, but Kaspersky researchers did not elaborate on the nature of the organizations targeted.

With a wealth of valuable industrial facilities, the Middle East has long been the scene of hacking operations to spy on or disrupt those facilities. The Stuxnet worm stifled an Iranian nuclear facility a decade ago, while the Trisis malware disrupted a Saudi petrochemical company in 2017.

Whether the WildPressure campaign amounts to anything more than espionage remains to be seen. The hackers were patient in developing their malware, but Legezo said he’s seen more painstaking operations.

“If we compare it with other targeted malware, there are worse ones out there,” he told CyberScoop in an email.

One of the pieces of code unpacked by Kaspersky researchers was labeled “1.0.1,” indicating that an updated version could be in the cards.