Pierluigi Paganini
March 23, 2026
Resecurity (USA) is tracking a relatively new cybercriminal group called Nasir Security, presumably associated with Iran, that is targeting energy organizations in the Middle East. The energy sector is one of the most impacted areas because of the Iranian malicious activity in the region, including the lockdown of the Strait of Hormuz and drone/missile attacks against the energy infrastructure of neighboring countries in the GCC, allies of the US.
Based on the artifacts collected by the threat intelligence team at Resecurity, the group is attacking supply chain vendors involved in engineering, safety, and construction. The data stolen as a result of such incidents is authentic but originates from a third party (of the target company), which may lead to incorrect assumptions about the origin of the breach. Notably, the focus of the attacks is centered on the energy sector, which has experienced significant financial and technological damage since the start of the war in Iran. Cyberspace is used to amplify it, following recent attacks against LNG and logistics providers.
The group has targeted Dubai Petroleum (UAE), CC Energy Development (Oman), an Iraq-based organization in the oil and gas sector, Al-Safi Oil Company (PURE IN), which operates gas stations in the Kingdom of Saudi Arabia (KSA) and other regions. In all these cases, Resecurity’s assessment indicated data theft from their vendors, such as engineering, construction companies, and safety equipment providers. However, there are still risks associated with this activity, as the documents acquired are authentic and may contain important information for adversaries. The stolen data includes schemes, contracts, risk assessment reports, and other documents.
Documents acquired by threat actors may provide them with additional context and insights to plan further attacks and serve as a pre-positioning stage for targeted strikes against oil fields and pipeline infrastructure. This includes identifying key infrastructure components that, if damaged, would significantly impact the facility and be difficult to repair. Both factors will make recovery from the attack challenging and likely time-consuming, especially since some equipment has long lead times.
As TTPs, the actors are leveraging business email compromise (BEC) via targeted spear phishing (T1566), impersonation (T1656), and exploiting public-facing applications (T0819), exfiltrating data from insecure cloud storage services (T1530). The identified activity illustrates a successful combination of supply chain attacks and a disinformation (propaganda) campaign by Iran and its proxies during the war.
Considering the significant pause in the group’s activity (since October, 2025), along with the relatively low-profile nature of the group and the absence of social media profiles, the attribution of such activity to a specific actor, party, or country should be done with extreme caution—especially during active geopolitical conflicts. Resecurity expects an increase in ‘false flags,’ psychological operations (psy ops), and influence campaigns amplifying current events in Iran.
The IT and OT supply chain is expected to be a high-priority target for Iran, enabling it to generate quantitative rather than qualitative results to demonstrate counteraction during the war, leveraging cyberspace as a critical domain of warfare and psychological operations (psyops).
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Nasir Security)
