Symantec has released research that reveals a cyber-espionage group called Leafminer is targeting government organisations and business verticals in the Middle East, including those in Egypt.
The primary industries under attack include governments, the financial and energy sectors, and the group appears to be based in Iran.
Key findings of Symantec’s research include:
- Inexperience led to discovery: Leafminer’s poor operational security, as well as its eagerness to capitalise on tools/techniques used by more advanced threat actors, suggests inexperience. By leaving a staging server publicly accessible, the group exposed its entire arsenal of tools and opened a trove of intelligence to Symantec researchers
- Infiltration techniques: Leafminer attempts to infiltrate target networks using three main techniques for intrusion: watering hole websites, vulnerability scans of network services on the internet and brute-force/dictionary login attempts
- Targeting data: Leafminer’s post-compromise toolkit suggests that the group is looking for email data, files and database servers on compromised target systems. This points to espionage as the motivation
Countries targeted by the group include Egypt, Saudi Arabia, UAE, Qatar, Kuwait, Bahrain and Afghanistan.
Symantec believes the group has been targeting organisations since at least early 2017. Its detection telemetry shows malware and custom tools used by Leafminer on 44 systems across four regions.