# Ali Baba, the APT group from the Middle East

**[securityaffairs.co/wordpress/33682/cyber-crime/ali-baba-apt-middle-east.html](https://securityaffairs.co/wordpress/33682/cyber-crime/ali-baba-apt-middle-east.html)**

February 17, 2015
By [Pierluigi Paganini](https://securityaffairs.co/wordpress/author/paganinip)


February 17, 2015


## Adrian Nish of BAE System presented the results of its investigation on the Ali Baba APT group operating from the Middle East that hit Western companies.

Yesterday the Kaspersky Lab team revealed the results of its investigation on the hacking
[crew dubbed the Equation group, a team of hackers that demonstrate extraordinary](http://securityaffairs.co/wordpress/33637/cyber-crime/the-equation-group-atp.html)
capabilities and sophisticated tactics, techniques, and procedures. Unfortunately, the number
of [ATPs is growing over the years, the majority of them goes under the radar for a long](http://securityaffairs.co/wordpress/26592/cyber-crime/pitty-tiger-atp.html)
period.

In 2013, Adrian Nish of BAE Systems investigated on a cyber attack suffered by an
engineering company in the UK that operates in the national power industry. The security
experts discovered that hackers have compromised the company network for some time,
exfiltrating any kind of information.

_“The group has probably been working for about two years now,” Nish explained. “It’s_
_an emerging trend in the Middle East. That’s a complicated region and the offensive_
_side of things is becoming complicated there too. There’s offensive cyber companies_
_and local malware authoring now.”_

Nish identified the C&C servers used by the threat actors and discovered that Google was
indexing some of the machines used by the hackers to siphon data. According to the
researcher, the bad actors could be members of a pro-Iranian group and proved to have
access to a wide set of hacking tools.

BAE firm dubbed the APT group Ali Baba because a code name in one of the tools
belonging to their arsenal.

_“They had taken network diagrams, usernames and credentials from an Israeli_
_university and even an entire Web app that they stole from a group in the Middle East,”_
_[Nish said in a talk at the Kaspersky Lab Security Analyst Summit here Monday. “They](http://sas.kaspersky.com/)_
_had even stolen some signatures, physical signatures from people who had scanned_
_them for some reason. What could possibly go wrong with that?”_


-----

Nish confirmed to have discovered nearly 40 distinct hacking tools, including five modules of
custom malware, a key logger, a custom hash cracker and many others. The expert
highlighted some interesting methods for defeating incident response on compromised
networks and for data exfiltration.

Nish detailed one of the tools in the arsenal of the Ali Baba APT, Fakeddos.exe, that was
used the hackers to generate large amounts of junk traffic on compromised networks, a tactic
used by the threat actor to overwrite the logs of legitimate traffic making difficult investigation
from security firms.

_“That really makes incident response quite a pain, really,” Nish said._

[Ali Baba hackers used a singular exfiltration technique based on email, they disguised the](http://securityaffairs.co/wordpress/30624/cyber-crime/hackers-used-data-exfiltration-based-video-steganography.html)
outbound emails as Viagra spam messages to avoid detection of defense systems.

According to a [report published by the security company Cylance, the UK firm wasn’t the](http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf)
unique known victim of the Ali Baba, the APT also had compromised transportation
[companies in South Korea and Pakistan. Cylance identified the hacking team as OpCleaver.](http://securityaffairs.co/wordpress/30734/intelligence/operation-cleaver-iranian-hackers.html)

**[Pierluigi Paganini](http://www.linkedin.com/pub/pierluigi-paganini/b/742/559)**

**[(Security Affairs – Ali Baba APT, cyber espionage)](http://securityaffairs.co/wordpress/)**

[Ali BabaAli Baba APTAPTcyber espionageCybercrimeexfiltrationMiddle EastOpCleaver](https://securityaffairs.co/wordpress/tag/ali-baba)

Share On


-----

You might also like

**[China-linked RedAlpha behind multi-year credential theft campaign](https://securityaffairs.co/wordpress/134519/apt/redalpha-china-credential-theft-campaign.html)**

August 17, 2022
By [Pierluigi Paganini](https://securityaffairs.co/wordpress/author/paganinip)


-----

**[Bugdrop dropper includes features to circumvent Google’s security Controls](https://securityaffairs.co/wordpress/134508/malware/bugdrop-android-malware.html)**

August 17, 2022
By [Pierluigi Paganini](https://securityaffairs.co/wordpress/author/paganinip)

Copyright 2021 Security Affairs by Pierluigi Paganini All Right Reserved.
Back to top

[Home](http://securityaffairs.co/wordpress/)
[Cyber Crime](https://securityaffairs.co/wordpress/category/cyber-crime)
[Cyber warfare](https://securityaffairs.co/wordpress/category/cyber-warfare-2)
[APT](https://securityaffairs.co/wordpress/category/apt)
[Data Breach](https://securityaffairs.co/wordpress/category/data-breach)
[Deep Web](https://securityaffairs.co/wordpress/category/deep-web)
[Digital ID](https://securityaffairs.co/wordpress/category/digital-id)
[Hacking](https://securityaffairs.co/wordpress/category/hacking)
[Hacktivism](https://securityaffairs.co/wordpress/category/hacktivism)
[Intelligence](https://securityaffairs.co/wordpress/category/intelligence)
[Internet of Things](https://securityaffairs.co/wordpress/category/iot)
[Laws and regulations](https://securityaffairs.co/wordpress/category/laws-and-regulations)
[Malware](https://securityaffairs.co/wordpress/category/malware)
[Mobile](https://securityaffairs.co/wordpress/category/mobile-2)
[Reports](https://securityaffairs.co/wordpress/category/reports)
[Security](https://securityaffairs.co/wordpress/category/security)
[Social Networks](https://securityaffairs.co/wordpress/category/social-networks)
[Terrorism](https://securityaffairs.co/wordpress/category/terrorism)
[ICS-SCADA](https://securityaffairs.co/wordpress/category/ics-scada)


-----

[EXTENDED COOKIE POLICY](https://securityaffairs.co/wordpress/extended-cookie-policy)
[Contact me](https://securityaffairs.co/wordpress/contact)


-----