Pierluigi Paganini June 04, 2015

Security experts at ClearSky have published a report on the a cyber espionage campaign dubbed Thamar Reservoir that is targeting entities in the Middle East.

Security experts at ClearSky have uncovered a cyber espionage campaign dubbed Thamar Reservoir due to the name of its target Thamar E. Gindin. The investigation led the experts to date the Thamar Reservoir campaign back to 2011, threat actors adopted several attack techniques finalized to the espionage.

The attackers focused their operations to gain access victim’s machine and take over their email accounts, according to researchers at ClearSky there no evidence of financial motivation for the attacks, a circumstance that suggest the involvement of state-sponsored hackers.

In many cases that hackers used the compromised accounts and machines to run further attacks against other targets, among the attach techniques adopted by threat actors observed by ClearSky there are:

• Breaching trusted websites to set up fake pages
• Multi-stage malware
• Multiple spear phishing emails based on reconnaissance and information gathering.
• Phone calls to the target.
• Messages on social networks.

The experts highlighted the low sophistication level of the attacks, the attackers made various mistakes such as grammatical errors, lack of code obfuscation and exposure of attack infrastructure.

The majority of the victims of the Thamar Reservoir campaign was located in the Middle East (550) and belong to Middle East and Iranian diplomacy entities, defense and security industries, journalists and human rights organizations.

Who is behind the Thamar Reservoir campaign?

According to the researchers at ClearSky, the evidence collected suggest the involvement of Iranian hackers. The experts noticed several similarities with other attacks in the same geographic area such as:

• Attacks conducted using the Gholee malware, which we discovered.
• Attacks reported by Trend Micro in Operation Woolen-Goldfish.
• Attacks conducted by the Ajax Security Team as documented by FireEye.
• Attacks seen during Newscaster as documented by iSight.

I have contacted Boaz Dolev, CEO at ClearSky, to submit him  a couple of questions:

Who are the targets?
Most of them are middle east researchers, others are journalists and security companies. Some of the targets are serving as first stage, and after their credentials are stolen, their email accounts serve for reaching the next target.

What is the level of threat to the targets?

It’s one of the most persistent spear phishing attacks that we have seen. Every target has been attacked for weeks in all possible media until the attackers succeed.

Enjoy the full report: Thamar Reservoir – An Iranian cyber-attack campaign against targets in the Middle East.

Pierluigi Paganini

(Security Affairs –  Iran, Thamar Reservoir Campaign)