Symantec uncovers hacking group targeting ME government

Leafminer group has targeted government, finance, petrochem organisations across the region

Symantec says it has uncovered an Iran-based hacking group targeting government organisations across the Middle East.
Symantec says it has uncovered an Iran-based hacking group targeting government organisations across the Middle East.

Symantec has uncovered an active hacking group which is targeting organisations in the Middle East.

The group, dubbed ‘Leafminer' has been targeting government, finance, energy and other organisations since at least early 2017, the security company has warned, and appears to be based in Iran.

Leafminer tends to adapt publicly available techniques and tools for their attacks and experiments with published proof-of-concept exploits. Leafminer attempts to infiltrate target networks through various means of intrusion: watering hole websites, vulnerability scans of network services on the internet, and brute-force/dictionary login attempts. The actor's post-compromise toolkit suggests that the group is looking for email data, files, and database servers on compromised target systems.


Symantec said it has detected attacks mainly against government and finance organisations, but has also targeted petrochemicals, shipping and other sectors. Attacks have been seen against targets in Saudi Arabia, United Arab Emirates, Qatar, Kuwait, Bahrain, Egypt, and Afghanistan.

The security company said it was able to identify Leafminer after discovering the same compromised web server had been used in several different attacks.

Symantec characterized the group as highly active, but apparently inexperienced. The group has used a mix of publicly available tools and its own malware, and has copied some attack methods, as well as been quick to try to utilize new weaknesses, such as the Heartbleed bug, in its MO.

"The group appears to be based in Iran and seems to be eager to learn from and capitalize on tools and techniques used by more advanced threat actors," the company said. "However, Leafminer's eagerness to learn from others suggests some inexperience on the part of the attackers, a conclusion that's supported by the group's poor operational security. It made a major blunder in leaving a staging server publicly accessible, exposing the group's entire arsenal of tools. That one misstep provided us with a valuable trove of intelligence to help us better defend our customers against further Leafminer attacks."

Most Popular