Insights into the cyber threat campaigns that affected MENA region in Q2 2021

Jens Monrad, Director, Head of Mandiant Intelligence, EMEA shares insights on the cyber threat campaigns that have affected the MENA region in Q2 2021.

Financial and espionage motivated cyber threats campaigns continue to be the most impactful and frequent categories of the region’s cyber attacks. 

The Middle East and North Africa regions continue to be targeted by cyber espionage operations seeking political, strategic, or economic advantage, particularly by Iran-linked groups, Russian and Chinese threat actors. Iran-linked information operations have also been observed – we suspect that some regional states possess or are developing information operations capabilities.

Financially motivated threat activity is fast becoming a high-volume threat to both organisations and individuals in the Middle Eastern and North African countries. 

The most significant threat actor we have identified in Q2 in the Middle East Region is TEMP.Zagros. 

TEMP.Zagros is an Iran-nexus cyberespionage actor active since at least May 2017. TEMP.Zagros targeting is prolific and widespread, affecting multiple industries throughout the Middle East, Central and South Asia, including government, defence, telecommunications, energy, and finance. Known and suspected targets indicate that TEMP.Zagros is likely tasked to conduct reconnaissance and collect strategic information, including geopolitical, diplomatic, defence, and possibly energy-related materials, to support Iranian interests and decision-making. 

Furthermore, the targeting of telecommunications entities may signal TEMP.Zagros’ use of third parties to enable access to primary targets and facilitate other intrusion activities.  Targeting patterns and related lures demonstrate a strong focus on targets with a geopolitical nexus and the telecommunications sector in Saudi Arabia, Pakistan, and Turkey.

The top malware detections for Q2 2021 in the Middle East and North Africa also show a continued focus on credential theft. Malware that can steal credentials from victims can allow further compromises of both private and government enterprises and personally targeted fraud. 

As the region continues to digitalise infrastructure, it will likely attract cyber threats that are financially motivated, as stolen credentials provide access to enterprises or serve as a path for ransomware deployments. To better defend against credential theft, organisations should implement multi-factor authentication wherever possible and minimise the usage of global or local administrative privileges for users. Additionally, monitoring and tracking unusual activity from authenticated users could allow an organisation to discover an unusual activity at an earlier stage, which is crucial to minimise the threat and its impact.