Thamar Reservoir – Iranian hackers target entities in Middle East

Security experts at ClearSky have published a report on the a cyber espionage campaign dubbed Thamar Reservoir that is targeting entities in the Middle East.

Security experts at ClearSky have uncovered a cyber espionage campaign dubbed Thamar Reservoir due to the name of its target Thamar E. Gindin. The investigation led the experts to date the Thamar Reservoir campaign back to 2011, threat actors adopted several attack techniques finalized to the espionage.

The attackers focused their operations to gain access victim’s machine and take over their email accounts, according to researchers at ClearSky there no evidence of financial motivation for the attacks, a circumstance that suggest the involvement of state-sponsored hackers.

In many cases that hackers used the compromised accounts and machines to run further attacks against other targets, among the attach techniques adopted by threat actors observed by ClearSky there are:

  • Breaching trusted websites to set up fake pages
  • Multi-stage malware
  • Multiple spear phishing emails based on reconnaissance and information gathering.
  • Phone calls to the target.
  • Messages on social networks.

The experts highlighted the low sophistication level of the attacks, the attackers made various mistakes such as grammatical errors, lack of code obfuscation and exposure of attack infrastructure.

The majority of the victims of the Thamar Reservoir campaign was located in the Middle East (550) and belong to Middle East and Iranian diplomacy entities, defense and security industries, journalists and human rights organizations.


Who is behind the Thamar Reservoir campaign?

According to the researchers at ClearSky, the evidence collected suggest the involvement of Iranian hackers. The experts noticed several similarities with other attacks in the same geographic area such as:

  • Attacks conducted using the Gholee malware, which we discovered.
  • Attacks reported by Trend Micro in Operation Woolen-Goldfish.
  • Attacks conducted by the Ajax Security Team as documented by FireEye.
  • Attacks seen during Newscaster as documented by iSight.

I have contacted Boaz Dolev, CEO at ClearSky, to submit him  a couple of questions:

Who are the targets?
Most of them are middle east researchers, others are journalists and security companies. Some of the targets are serving as first stage, and after their credentials are stolen, their email accounts serve for reaching the next target.

What is the level of threat to the targets?

It’s one of the most persistent spear phishing attacks that we have seen. Every target has been attacked for weeks in all possible media until the attackers succeed.

Enjoy the full report: Thamar Reservoir – An Iranian cyber-attack campaign against targets in the Middle East.

Pierluigi Paganini

(Security Affairs –  Iran, Thamar Reservoir Campaign)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

TP-Link Archer C5400X gaming router is affected by a critical flaw

Researchers warn of a critical remote code execution vulnerability in TP-Link Archer C5400X gaming router.…

2 hours ago

Sav-Rx data breach impacted over 2.8 million individuals

Prescription service firm Sav-Rx disclosed a data breach that potentially impacted over 2.8 million people…

12 hours ago

The Impact of Remote Work and Cloud Migrations on Security Perimeters

Organizations had to re-examine the traditional business perimeter and migrate to cloud-based tools to support…

19 hours ago

New ATM Malware family emerged in the threat landscape

Experts warn of a new ATM malware family that is advertised in the cybercrime underground,…

21 hours ago

A high-severity vulnerability affects Cisco Firepower Management Center

Cisco addressed a SQL injection vulnerability in the web-based management interface of the Firepower Management…

1 day ago

CERT-UA warns of malware campaign conducted by threat actor UAC-0006

The Ukraine CERT-UA warns of a concerning increase in cyberattacks attributed to the financially-motivated threat…

2 days ago

This website uses cookies.