Iranian hackers caught spying on governments, militaries in Middle East


An Iranian nation-state threat actor is targeting high-profile organizations in the Middle East as part of an ongoing espionage campaign, according to a new report.

Known as Scarred Manticore, the group primarily targets the government, military and telecommunications sectors in Saudi Arabia, the United Arab Emirates, Jordan, Kuwait, Oman, Iraq and Israel.

In recent years, Scarred Manticore has quietly conducted covert operations in Middle Eastern countries, infiltrating telecommunications and government entities to systematically exfiltrate data from their systems, according to researchers at Check Point, one of the companies that investigation this campaign.

Check Point believes that Scarred Manticore is affiliated with the Iranian Ministry of Intelligence and Security (MOIS). The location of the group’s victims matches Iranian interests and fits the typical victim profile that MOIS-affiliated groups usually target in their espionage operations, the researchers said.

Scarred Manticore has been active since at least 2019, and over the years its toolset has undergone significant changes.

The tools and capabilities used by the group in its ongoing campaign, which reached its peak in mid-2023 and remained under the radar for at least a year, “demonstrate the progress made by Iranian actors in recent years . “, the researchers said.

For example, in their latest attacks, the group used advanced malware known as Liontail, a sophisticated backdoor that allows attackers to execute commands remotely via HTTP requests.

According to Check Point, the group is known to generate a unique implant for each compromised server, making its malicious activities indistinguishable from legitimate network traffic. These customization features allow Liontail operators to evade detection for an extended period of time, according to Check Point.

Although Liontail appears to be unique and shows no clear code overlap with any known malware family, other tools used by Scarred Manticore in this campaign overlap with previously reported activities, particularly those associated with the Iranian hacker group. Oil rig or its affiliates.

“We do not have sufficient data to correctly attribute the Scarred Manticore to OilRig, although we believe they are likely related,” the researchers said.

Some of the tools used by the group have also been associated with destructive attack against the infrastructure of the Albanian government, allegedly sponsored by MOIS.

Researchers predict that Scarred Manticore’s operations will continue and may expand to other regions, consistent with long-term Iranian goals.

On Tuesday, FBI Director Christopher Wray called Iran is “the world’s largest sponsor of terrorism” and has pointed out that Hezbollah – Terhan’s “main strategic partner” – has a history of spying on the United States.

He also warned that digital attacks against the United States by Iran and non-state actors could worsen if the conflict between Israel and Hamas worsens.

Get more information with the

Future saved

Intelligence cloud.

Learn more.

No previous articles

No new articles

Daryna Antoniuk

Daryna Antoniuk is a freelance journalist for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe, and the state of the Ukraine-Russia cyberwar. She was previously a tech journalist for Forbes Ukraine. His work has also been published in Sifted, The Kyiv Independent and The Kyiv Post.

Leave a comment