X-Industry

CYBER INTELLIGENCE REPORT

Actor Type: I-IV
Serial: IR-18-076-001
Region: Middle East, North Africa, Europe, US
Report Date: 20180319
Industries: Financial, Government, Energy (Oil)

An overview of Middle Eastern and North African hacking activity

Summary

Cybercriminals in the Middle East/North Africa (MENA) region are some of the most cooperative and united group of hackers in the world when their goal is to attack the West.  Hacktivists collaborate for finanical and political gain, as well as for religious righteousness.  Wapack Labs believe MENA bad actors will remain active and successful in various cyber campaigns against the West until the West attains a better understanding of the region’s language, culture, and religions.

An overview of the languages used in hacker forums and a discussion of MENA underground forums follows.

Figure 1. The MENA region

Details About MENA hacking languages: Arabic, Farsi and Turkish

We find that hackers most often use their native tongue, and Arabic is the most widely used hacking language of the MENA region, followed by Farsi and Turkish. English is often used for hacking outside MENA, but within the region, it is not prevalent.  

Searches using Arabic language hacking produced positive results for the MENA region and some communities outside MENA; such as India.  Hackers who use the Farsi, which is commonly spoken in Iran, share many characters with traditional Arabic and have many cyber-related words which are similar.  In Turkey, the Turkish language is most often used as a hacking language.

Just as English has regional and cultural variations (e.g., you, you all, you guys, y’all, youse, yinz), Arabic hacking terms also share this linguistic characteristic. Every Arabic word listed in 1 has multiple ways of being written and/or defined by different groups in the MENA region.  Also, different hacktivists/groups have their own indices for their forums and in signals communications.

Table 1. Cyber threat keywords compared, English and Arabic

Note: Hebrew-speaking hackers are not identified in this report; see previous Wapack Labs reporting covering Israeli hackers. 

Traits of MENA Hacker Forums

MENA hacker forums are much like those of the West. Typically they receive traffic from anyone who desires to develop their technical skills, and will freely communicate with others who seek the same. Common practice in these forums includes sharing hacking tools such as keyloggers, malware builders, crypters, and SQL injection tools.[1]

One motivation that sets the MENA actors apart from Western actors is the interest to take down Crucial infrastructure information controls, such as Supervisory Control and Data Acquisition (SCADA) systems. SCADA is discussed in the MENA underground forums, as depicted in Figure 2.[2] Countries—specifically Advanced Persistent Threat (APT)-level actors—and criminal hacking groups continually search for a way to harm critical infrastructure, including power plants, transportation systems, water and waste controls, energy systems, oil and gas refineries, and telecommunications networks. Both privately owned and public sector sytems are targed, especially those in the United States.

Figure 2. Dev-Point (i.e., Arabic) forum post that educates other members about SCADA vulnerabilities

Advertisements to sell malware are very common in many MENA underground sites.  Figure 3 depicts the types of illicit goods and services that are sold.[3]

Figure 3. Percentage breakdown of products and services available in MENA underground sites

Some Arabic forums will at times claim their administrators will contact the Russians to build malware for them. In reality, they build it themselves.[4]  The malware is typically subpar and receives bad ratings.

There are also instances of advanced sellers offering to rent access to a command and control (C2) web interface to provide unskilled hacktivists with the ability to mount their own operations.

MENA region forums often build and sell Remote Access Trojans (RATs),  which target Androids and IOS phones (Figure 4). Malware targeting cell phones is of especial concern to businesses that offer a Bring Your Own Device (BYOD) policy.

Figure 4. Depiction of Ajanlar (i.e., Turkish) forum member selling Android RAT for $200

Counterfeit credit cards are also found in the MENA underground for illegal online purchases.[5]  Underground Arab credit card dumps often offer “fullz” (i.e., a complete file of information on a prospective victim), providing a credit card number, the cardholder’s name, address, PIN, and birthdate.  Selling fullz allows hackers to financially support their operations through fraudulent schemes.

The Inj3ct0r and Exploit-db websites are repeatedly referenced with positive ratings for members across Arabic forums.[6]  Both websites are used by many Arabic hackers to share and learn tradecraft.  Iranians and Turkish cybercriminals also use these sources, but the majority of Iranians and Turks appear to write their own scripts and operate in separate groups.  This suggests their attacks likely target different sectors than traditional Arab targets (Figures 5, 6).

Figure 5. An Ashiyane (i.e., Iranian) forum post for a spammer IRC Bot script that is coded in PHP

Religious motivation is important for most of the MENA hackers. Hacktivists integrate DDoS attacks, website defacements, and malware to dismantle their targets.[7] The Iranonymous Iranian hacker group posted that their exploit code is “right” since they are at cyber war with Saudi Arabia. “Right” likely refers to their perceived religious authority. Members of that hacking forum carry the religious ideology to target Western ideology and countries (Figure 6). This activity is sometimes refered to as E-Jihad or Cyber Jihad.

Figure 6. Iranonymous (i.e., Iranian) forum post stating the hacker had coded his exploit “right”

Conclusion

Religious ideology often unites MENA cybercriminals and poses a significant threat to religious enemies and Western entities.  These businesses and governments are being targeted by tools that are developed by more sophisticated users than the typical Kali Linux user. Cyber prevention is often difficult because many cyber security experts do not always understand Arabic hacker websites, databases and infrastructure. This is a result of a lack understanding of the languages, cultures and religions.  This in turn leads to Western-directed attacks on critical infrastructure vulnerabilities, which are not normally identified until an attack is perpetrated.  A better understanding of Arabic language and culture is needed, and until that understanding is attained, cyber security will not be able to be proactive in identifying and preventing MENA region hackers.  Wapack Labs will continue to collect, research and analyze malicious cyber activities in the MENA region and provide periodic updates for our members.

For questions or comments regarding this report, please contact the lab directly at 603-606-1246 or feedback@wapacklabs.com

Prepared:      Naba Alrubaye, Yury Polozov
Reviewed:     B. Schenkelberg, I. Shipton
Approved:     J. Stutzman

Past Wapack Labs reporting for the MENA region

• Egyptian hacker Galal M. Gere (AlaaCool).[8]
• THT Turkish Hacking Group.[9]
• Wapack Labs PIR Turkeys Hactivist Groups and Offensive Cyber Capabilities.[10]
• Wapack Labs PIR 10.13.14 ISIS Cyber Capabilities.[11]
• Zurael STz Hacker: Behind #OpIslam and Israel Cyber Army.[12]
• Wapack Labs SITREP: Anonymous Declaration of War on ISIS.[13]
• TIR-015-2017_Greenbug.[14]
• TIR-003-2017 Shamoon2.[15]
• The Iranian Cyber Evolution - RATs_Backdoors_Droppers.[16]
• Profile: The Islamic Republic of Iran Security Team.[17]
• Wapack Labs PIR Iranian hacker Ali Abbasi's Chinese SCADA Training 9.24.14.[18]
• Shamoon and Essex Shipping.[19]
• Calamities in Qatar.[20]
• Morocco: Business in Sub-Saharan Africa.[21]
• Rise of the Arab Army - Saudi Arabia and Iran square off over Yemen.[22]
• IR-087-2017 Mauritania Algeria and Senegal.[23]
• Wapack Labs Case Study - Threats to the Panama and Suez Canals.[24]
• Tunisian Hackers, xAhmedx and TheWeekOfHorror TLP RED.[25]
• [Libya, Syria] Several international lawful communications interception companies aiding western opposition.[26]
• 12/20/2015 - "Golden Dawn" Jihad propaganda in Sweden, Greece, and NYC.[27]
• Priority Intelligence Report 10.24.13. Syrian Electronic Army’sresponseto the chemical weapons attacks.[28]
• Priority Intelligence Report 10.30.13. Syrian Electronic Army’s social network.[29]
• OpPetrol gouge: 05142013 - 06202013.[30]
• [Oman] Sultan of Oman's Intelligence services hires Gamma and Trovicor to spy on western oil companies.[31]
• PIR: Oman Based Visa-owned Secure Payment Co. Identified in Keylogger.[32]

Appendix A.

The two images below depicit the religious motive (known as a fatwa) of Arabian states of the Persian Gulf/Arabian Peninsula to hack the West.

Figure 7. Saudi Grand Sheikh fatwa to hack the West[33]

Figure 8. Saudi Cleric Muhammad Al_Munajid hacking fatwa

Appendix B.

The image below comes from an Iranian forum that stresses the point of revolution, though it promotes  a “cyber revolution” rather than a religious one.

Figure 9. Supreme Leaders of Iran Ali Khamenei (left) and Ruhollah Khomeini (right) support of cyber revolution banner on the Iranian Anonysec hacking forum[34]

Appendix C.

The image below of a Turkish website combines revolution, politics and religion.

Figure 9. A website defacement by the famous Lastc0de and other members of the Turkish hacking group “SpyHackerz.”  The Turkish writing above the e-mail translates to “Atatürk’s soldiers.” Atatürk was the first Turkish president after the 1920-1938 revolution.[35]

[1] https://www.dev-point.com/vb/threads/431641/page-2#post-4643083

[2] https://www.dev-point.com/

[3] https://documents.trendmicro.com/assets/white_papers/wp-middle-eastern-north-african-underground.pdf

[4] https://www.theguardian.com/world/2017/jun/07/russian-hackers-qatar-crisis-fbi-inquiry-saudi-arabia-uae

[5] https://documents.trendmicro.com/assets/white_papers/wp-middle-eastern-north-african-underground.pdf

[6] https://www.observatoire-fic.com/hacking-and-skills-acquisition-focus-on-the-arabic-speaking-community/

[7] http://competitiveintelligence.ning.com/group/menaci

[8] files.slack.com/files-pri/T71KHUTDM-F8J85D021/download/targeteer_egyptian_galal_m_gere_alaacool_20160526.pdf

[9] files.slack.com/files-pri/T71KHUTDM-F8J7W6KB6/download/sitrep_it_10_04_2016.pdf

[10] files.slack.com/files-pri/T71KHUTDM-F8J724KUJ/download/wapack_labs_pir_turkeys_hactivist_groups_and_offensive_cyber_capabilities.pdf

[11] files.slack.com/files-pri/T71KHUTDM-F8J2XBEPN/download/2327.txt

[12] files.slack.com/files-pri/T71KHUTDM-F8MFHNY07/download/ir-054-2017_targeteer_zurael_stz.pdf

[13] files.slack.com/files-pri/T71KHUTDM-F8HDPSUJU/download/anonymous_declaration_of_war_on_isis.docx

[14] files.slack.com/files-pri/T71KHUTDM-F8M950JR4/download/tir-015-2017_greenbug.pdf

[15] files.slack.com/files-pri/T71KHUTDM-F8LES74Q4/download/tir-003-2017_shamoon2.pdf

[16] files.slack.com/files-pri/T71KHUTDM-F8NGL96FP/download/the_iranian_cyber_evolution_-_rats_backdoors_droppers.pdf

[17] files.slack.com/files-pri/T71KHUTDM-F8J353R0U/download/2711.txt

[18] files.slack.com/files-pri/T71KHUTDM-F8HG1PZUH/download/2358.txt

[19] files.slack.com/files-pri/T71KHUTDM-F8MFRB22K/download/tacrep_01_26_2017_-_mwt.pdf

[20] files.slack.com/files-pri/T71KHUTDM-F8LBESK0T/download/tr_qatar_and_iran_final.pdf

[21] files.slack.com/files-pri/T71KHUTDM-F8JB4V0J1/download/sitrep_geo_11_14_2016_-_wjs2.pdf

[22] files.slack.com/files-pri/T71KHUTDM-F8HV9KCHH/download/2665.txt

[23] files.slack.com/files-pri/T71KHUTDM-F8LB0LZL3/download/ir-087-2017_mauritania_algeria_and_senegal.pdf

[24] files.slack.com/files-pri/T71KHUTDM-F8JTN8FKQ/download/3151.txt

[25] files.slack.com/files-pri/T71KHUTDM-F8J5Z0LMT/download/2159.txt

[26] redskyalliance.slack.com/files/U73N65QP5/F8MEA3J9M/2859.txt

[27] files.slack.com/files-pri/T71KHUTDM-F8J4RULSY/download/12202015_xamrikijihadx-2.pdf

[28] files.slack.com/files-pri/T71KHUTDM-F8J1G8GBU/download/1858.txt

[29] files.slack.com/files-pri/T71KHUTDM-F8HUMJNCT/download/1858.txt

[30] files.slack.com/files-pri/T71KHUTDM-F8HUJKTPV/download/1776.txt

[31] files.slack.com/files-pri/T71KHUTDM-F8LCGM342/download/2858.txt

[32] files.slack.com/files-pri/T71KHUTDM-F8K2WRMU6/download/wl16-261-01_-_cybersource_victim_notification.pdf

[33] https://www.memri.org/reports/leading-mainstream-and-jihadi-sheikhs-issue-fatwas-beginning-2000-allowing-hacking-and-other

[34] https://anonysec.org/

[35] http://realwealthnewyork.com/