Cyberespionage operations by governments with mature cyber capabilities persist regardless of geopolitical events. Espionage typically focuses on broader long-term strategic goals.
Secureworks® Counter Threat Unit™ (CTU) researchers monitor Iranian cyber operations, including the potential for retaliation after a January 2, 2020 U.S. drone strike killed Islamic Revolutionary Guard Corps (IRGC) Quds Force General Qasem Soleimani. Although there was ballistic missile bombardment of U.S. military personnel in Iraq on January 8, no government-directed cyber retaliation has been observed as of this publication.
Despite the lack of retaliatory activity, CTU™ researchers have observed the continuation of several espionage-focused campaigns. A series of spearphishing campaigns that occurred between mid-2019 and mid-January 2020 targeted governmental organizations in Turkey, Jordan, Iraq, as well as global intergovernmental organizations and unknown entities in Georgia and Azerbaijan. Most of this activity commenced prior to the U.S. drone strike. Victimology and code similarity between the macros in the analyzed samples and macros documented in open-source reporting suggest that these campaigns were conducted by the COBALT ULSTER threat group (also known as MuddyWater, Seedworm, TEMP.Zagros, and Static Kitten), which is tasked by the Iranian government.
Multiple paths to compromise
In one compromised environment, threat actors conducted multiple rounds of spearphishing with malicious attachments to gain initial access. Some of the email messages contained a link to a compromised website, passing the name of the target organization as a parameter in the URL. These links were likely intended to track ..
Support the originator by clicking the read the rest link below.
