In a blog post, the company said the attacks had been made on a large number of organisations since early last year and in a number of locations: the Palestinian Territories, Egypt, Jordan, the UAE, Saudi Arabia, Djibouti, Qatar, Lebanon, Chile, Somalia, Iraq, Morocco, Syria, India, Iran, Canada, the US, the UK, Germany, Israel, Afghanistan, Serbia, Russia, the Sultanate of Oman, Kuwait, South Korea and Denmark.
The attacks seemed geared towards collecting information from victims who were carefully selected.
The attackers are claimed to represent a previously unknown geopolitically motivated threat actor, with Kaspersky not saying if any nation-state was behind the attacks. However, it did not that Operation Parliament seemed to be tied to escalating tensions in the Middle East.
|
"The victim systems range from personal desktop or laptop systems to large servers with domain controller roles or similar. The nature of the targeted ministries varied, including those responsible for telecommunications, health, energy, justice, finance and so on."
The Kaspersky researchers said the attackers had exercised sufficient care to stay under the radar and imitate another attack group from the Middle East. Additionally, care had been taken to verify targets before an attack in order to protect command and control servers.
They said targeting looked to have slowed down since the beginning of the year and the targeting indicated that a lot of research was being done before an attack was launched.
The malware being used essentially basically provides a remote CMD/PowerShell terminal for the attackers, so that they can execute scripts/commands and receive the results via HTTP requests.
Screenshots: courtesy Kaspersky Lab