[APT REPORTS](https://securelist.com/all?category=908) _[Kaspersky Security Bulletin: Review of the Year 2017](https://securelist.com/ksb-review-of-the-year-2017/83338/)_ _[Kaspersky Security Bulletin: Threat Predictions for 2018](https://securelist.com/ksb-threat-predictions-for-2018/83169/)_ # Operation Parliament, who _[Threat Predictions for Industrial Security in 2018](https://securelist.com/ksb-threat-predictions-for-industrial-security-in-2018/83186/)_ _Kaspersky Security Bulletin 2016. Review of the year._ # is doing what? _Overall statistics for 2016_ ###### By GReAT on April 12, 2018. 7:00 am _[Kaspersky Security Bulletin. Predictions for 2017](https://securelist.com/kaspersky-security-bulletin-predictions-for-2017/76660/)_ _Kaspersky Security Bulletin 2015. Evolution of cyber_ _threats in the corporate sector_ ## Summary Kaspersky Lab has been tracking a series of attacks utilizing unknown malware since early 2017. The attacks appear to be geopolitically motivated and target high profile organizations. The objective of the attacks is clearly espionage – they involve gaining access to top legislative, executive and judicial bodies around the world. 1. The attackers have targeted a large number of organizations globally since early 2017, with the main focus on the Middle East and North Africa (MENA), especially Palestine. High-profile organizations have also been targeted in other regions. The number of attacks has decreased since the beginning of 2018. 2. The attacks were initially discovered while investigating a phishing attack that targeted political figures in the MENA region. At first the attacks looked to be the work of the low-sophistication [Gaza Cybergang (decoys, file names), but further analysis painted a very different picture.](https://securelist.com/gaza-cybergang-updated-2017-activity/82765/) 3. Targets include high-profile entities such as parliaments, senates, top state offices and officials, political science scholars, military and intelligence agencies, ministries, media outlets, research centers, election commissions, Olympic organizations, large trading companies, and other unknown entities. 4. The malware basically provides a remote CMD/PowerShell terminal for the attackers, enabling them to execute any scripts/commands and receive the result via HTTP requests. ----- ## Victimology and Statistics Based on our findings, we believe the attackers represent a previously unknown geopolitically motivated threat actor. The campaign started in 2017, with the attackers doing just enough to achieve their goals. They most likely have access to additional tools when needed and appear to have access to an elaborate database of contacts in sensitive organizations and personnel worldwide, especially of vulnerable and non-trained staff. The victim systems range from personal desktop or laptop systems to large servers with domain controller roles or similar. The nature of the targeted ministries varied, including those responsible for telecommunications, health, energy, justice, finance and so on. Victims have been spotted in the Palestinian Territories, Egypt, Jordan, the UAE, Saudi Arabia, Djibouti, Qatar, Lebanon, Chile, Somalia, Iraq, Morocco, Syria, India, Iran, Canada, the USA, the UK, Germany, Israel, Afghanistan, Serbia, Russia, Oman, Kuwait, South Korea and Denmark. Num be r o f vict im Vict im o rganiz at io n t ype o rganiz at io ns Unknown 91 Senates/Parliaments 7 Prime Ministerial Offices 3 Military/Intelligence Agencies 5 Other Gov./Ministerial/Diplomatic 20 Offices Financial/Banking Institutions 5 Media Outlets 2 Olympic/Sports Bodies 2 R h C t /S h l 2 ----- The number of victims/victim organizations probably doesn’t represent the full scope of the attacks – only a portion. ## Attack description and attribution Operation Parliament appears to be another symptom of escalating tensions in the Middle East region. The attackers have taken great care to stay under the radar, imitating another attack group in the region. They have been particularly careful to verify victim devices before proceeding with the i f i f di h i d d l Th i h l d ----- was carried out before the attacks (physical and/or digital). With deception and false flags increasingly being employed by threat actors, attribution is a hard and complicated task that requires solid evidence, especially in complex regions such as the Middle East. See the following for more information and examples of false flags being used in cyberattacks: [Wave your false flags! …or the Nightmares and Nuances of a Self-Aware Attribution Space](https://securelist.com/wave-your-false-flags/76273/) [OlympicDestroyer is here to trick the industry](https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/) ## Malware description The malware was first seen packed with VMProtect; when unpacked the sample didn’t show any similarities with previously known malware. All the strings and settings were encrypted and obfuscated. Functionality was identified that enables HTTP communication with the C&C server and invokes “processcreate” based on parameters received as a response. The configuration and strings are encrypted using 3DES and Base64 encoding. Data sent to the C&C server is also encrypted using 3DES and Base64. Different keys are used for local and network encryption. The malware starts communicating with the C&C server by sending basic information about the infected machine. The C&C server then replies with the encrypted serialized configuration. The malware basically provides a remote CMD/PowerShell terminal for the attackers, enabling them to execute scripts/commands and receive the results via HTTP requests. ----- _Sample of the C&C response with encrypted commands and configurations_ ## Examples of attack decoys _Translation: Contacts list of media personnel_ ----- _Translation: Relations between UAE and Jordan, and the impact caused by the non-boycott_ _of Qatar_ ----- _Translation: Military retirement statement 2017 June_ ----- _Translation: The new Hamas structure for Gaza strip 2017_ ----- _Translation: Clarification report (on Gaza employee salaries)_ ## What should high-profile organizations do? High-profile organizations should have elevated levels of cybersecurity. Attacks against them are inevitable and are unlikely to ever cease. These organizations need to pay particular attention to their security, implementing additional measures to ensure they are well protected. Anti-targeted attack solutions, threat intelligence capabilities and data flows, default-deny application lockdown, endpoint detection and response, data leak and insider threat prevention, and even isolated/air-gapped networks should form the basis of any strategy for protecting organizations in the current threat landscape. ----- ## Additional information For more information about the attacks and the indicators of compromise, please contact: [intelreports@kaspersky.com](mailto:intelreports@kaspersky.com) [Alternatively, please visit: https://www.kaspersky.com/enterprise-security/apt-intelligence-reporting](https://www.kaspersky.com/enterprise-security/apt-intelligence-reporting) To find more information about cybersecurity awareness training for enterprise or government staff, [go to Kaspersky Security Awareness.](https://www.kaspersky.com/enterprise-security/cybersecurity-awareness) [APT](https://securelist.com/all?tag=538) [CYBER ESPIONAGE](https://securelist.com/all?tag=185) [TARGETED ATTACK](https://securelist.com/all?tag=954) ### Related Posts Share post on: ####    ###### Your new friend, KLara Masha and these Bears ###### Your new friend, KLara ###### Masha and these Bears ----- Name * Email * Notify me when new comments are added. SUBMIT ----- reCAPTCHA Please upgrade to a supported browser to get a reCAPTCHA challenge. Alternatively if you think you are getting this page in error, please check your internet connection and reload. Why is this happening to me? [© 2018 AO Kaspersky Lab. All Rights Reserved.](https://www.kaspersky.com) Registered trademarks and service marks are the property of their respective owners. [Contact us | Privacy Policy | License Agreement](https://securelist.com/contacts) -----