{
	"id": "93c8c46f-1ec9-4698-9a35-ed53031ba870",
	"created_at": "2026-04-06T00:17:06.454661Z",
	"updated_at": "2026-04-10T13:12:52.973229Z",
	"deleted_at": null,
	"sha1_hash": "f3a80fc787e92c2956cdf318b73cfbbae3d19ef0",
	"title": "Hacking campaign combines attacks to target government, finance, and energy",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 72695,
	"plain_text": "Hacking campaign combines attacks to target government, finance,\r\nand energy\r\nBy Written by Danny Palmer, Senior WriterSenior Writer July 26, 2018 at 3:02 a.m. PT\r\nArchived: 2026-04-05 17:50:18 UTC\r\nVideo: Cyberwar: Nation-state cyber attacks threaten every company\r\nSecurity\r\nA newly-uncovered cyber espionage operation is combining known exploits with custom-built malware in a\r\ncampaign that has targeted hundreds of organisations, particularly those in the government, finance, and energy\r\nsectors.\r\nDiscovered by researchers at Symantec, the group is called Leafminer and has been operating out of Iran since at\r\nleast early 2017.\r\nThe malware and custom tools used by Leafminer have been detected across 44 systems in the Middle East: 28 in\r\nSaudi Arabia, eight in Lebanon, three in Israel, one in Kuwait, and four in unknown locations -- but the\r\ninvestigation into the campaign found a list of 809 targets.\r\nThe attackers' activity suggests the goal of their campaign is to steal data, including emails, credentials, files, and\r\ninformation on database servers operated by compromised targets.\r\nLeafminer uses three main techniques for compromising target networks: watering hole attacks, vulnerabilities in\r\nnetwork services, and brute-force dictionary attacks which attempt to crack passwords. Researchers said that\r\nphishing emails might also be used, but evidence for this hasn't yet been seen.\r\nIt's the watering hole attacks and the discovery of compromised websites which initially led Symantec to\r\nLeafminer. The watering hole attacks saw obfuscated JavaScript code left on targeted websites as a means of\r\nabusing SMB protocols to retrieve passwords.\r\nCompromised targets included a Lebanese government site, a Saudi Arabian healthcare site, and an Azerbaijan\r\nuniversity. Researchers note that the same technique was deployed by the DragonFly hacking group last year --\r\nbut rather than being a related attack group, Leafminer appears to be mimicking the earlier attack.\r\nSee also: Can Russian hackers be stopped? Here's why it might take 20 years[TechRepublic]\r\nhttps://www.zdnet.com/article/hacking-campaign-combines-attacks-to-target-government-finance-and-energy/\r\nPage 1 of 3\n\nThis isn't the only tactic which Leafminer has picked up of successful campaigns by other criminal groups.\r\nLeafminer uses EternalBlue -- the leaked NSA vulnerability which powered the WannaCry ransomware -- to move\r\nwithin targeted networks.\r\nThe attackers also attempt to scan for Heartbleed, an OpenSSL vulnerability which could allow attackers to see\r\nencrypted data. Heartbleed came to light in 2014, but thousands of sites still remain vulnerable.\r\nAnother known technique is lifted in order to help exfiltrate data. Known as doppelgänging, the process was\r\nrevealed late last year and circumvents security tools by using process hollowing to make the malicious processes\r\nlook benign.\r\nThe use of all the above leads Symantec to state that Leafminer actively monitors developers and publications of\r\noffensive techniques for ideas.\r\nBut the campaign isn't purely based on repurposed attacks deployed by others, as Leafminer has also deployed\r\ntwo strains of custom malware during their campaigns: Imecab and Sorgu.\r\nImecab is designed to set up persistent remote access to a target machine with a hard-coded password and is\r\ninstalled as a Windows service in order to ensure it remains available to the attacker.\r\nSorgu is used in a similar fashion, providing remote access to the infected machine and is also installed as a\r\nservice in the Windows system via a shell command script.\r\nBut while the Leafminer group appears keen to learn from other successful espionage campaigns, one thing it has\r\nfailed at is operational security: researchers uncovered a staging server used by the attackers to be publicly\r\naccessible, exposing the group's entire arsenal of tools, indicating inexperience by the attackers.\r\nMore: VPN services 2018: The ultimate guide to protecting your data on the internet (TechRepublic)\r\nThis public information also led to a list of over 800 potential targets in government, finance, and energy across\r\nthe Middle East. The list is written in the Iranian Farsi language, leading researchers to conclude that the group is\r\nbased in Iran, although there's currently no evidence of it being a state-backed campaign.\r\nNo matter who is behind the campaign, it's likely that the group will continue to develop offensive techniques --\r\nand they could even widen the scope of malicious attacks.\r\n\"It's possible the group would keep adopting and adapting both new publicly available hacking tools and\r\ntechniques, as well as proof-of-concept exploits for new and old vulnerabilities,\" Armin Buescher, threat\r\nresearcher at Symantec, told ZDNet.\r\n\"In terms of targeting, the attackers might continue going after targets in the Middle East, perhaps even expanding\r\nto countries outside of the region.\"\r\nRelated coverage\r\nHacking campaign targets iPhone users with data-stealing, location-tracking malware\r\nhttps://www.zdnet.com/article/hacking-campaign-combines-attacks-to-target-government-finance-and-energy/\r\nPage 2 of 3\n\nCampaign delivers fake versions of WhatsApp and Telegram to victims - and those behind it have tried to make it\r\nlook like a Russian attack when it isn't.\r\nPhishing alert: Hacking gang turns to new tactics in malware campaign\r\nSecurity company warns 'SilverTerrier' group poses a threat to businesses.\r\nSecuring the power grid from hacking, sabotage, and other threats\r\nFrank Gaffney, founder and president of the Center for Security Policy, talks about securing the power grid from\r\nEMP, hacking, sabotage, and solar flares. He thinks transformers are the key element.\r\nREAD MORE ON CYBER CRIME\r\nFourth-generation Android espionage campaign targets Middle East\r\nChina-based espionage campaign targets satellite, defense companies [CNET]\r\nChafer: Hacking group expands espionage operation with new attacks\r\nBeware of Russian attackers impersonating LoJack security software to hack computers [TechRepublic]\r\nEspionage malware snoops for passwords, mines bitcoin on the side\r\nSource: https://www.zdnet.com/article/hacking-campaign-combines-attacks-to-target-government-finance-and-energy/\r\nhttps://www.zdnet.com/article/hacking-campaign-combines-attacks-to-target-government-finance-and-energy/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.zdnet.com/article/hacking-campaign-combines-attacks-to-target-government-finance-and-energy/"
	],
	"report_names": [
		"hacking-campaign-combines-attacks-to-target-government-finance-and-energy"
	],
	"threat_actors": [
		{
			"id": "62947fad-14d2-40bf-a721-b1fc2fbe5b5d",
			"created_at": "2025-08-07T02:03:24.741594Z",
			"updated_at": "2026-04-10T02:00:03.653394Z",
			"deleted_at": null,
			"main_name": "COBALT HICKMAN",
			"aliases": [
				"APT39 ",
				"Burgundy Sandstorm ",
				"Chafer ",
				"ITG07 ",
				"Remix Kitten "
			],
			"source_name": "Secureworks:COBALT HICKMAN",
			"tools": [
				"MechaFlounder",
				"Mimikatz",
				"Remexi",
				"TREKX"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "aa57c036-b3e5-4bc4-83b8-cac8498b6c24",
			"created_at": "2023-01-06T13:46:38.589041Z",
			"updated_at": "2026-04-10T02:00:03.03199Z",
			"deleted_at": null,
			"main_name": "SilverTerrier",
			"aliases": [],
			"source_name": "MISPGALAXY:SilverTerrier",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "81d49904-579d-45b3-ace2-1fdf0a713bc4",
			"created_at": "2022-10-25T15:50:23.331457Z",
			"updated_at": "2026-04-10T02:00:05.291098Z",
			"deleted_at": null,
			"main_name": "Leafminer",
			"aliases": [
				"Leafminer",
				"Raspite"
			],
			"source_name": "MITRE:Leafminer",
			"tools": [
				"LaZagne",
				"Mimikatz",
				"MailSniper",
				"PsExec"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "552eeef7-4a19-44de-9147-db8893c115ef",
			"created_at": "2023-01-06T13:46:38.598788Z",
			"updated_at": "2026-04-10T02:00:03.034846Z",
			"deleted_at": null,
			"main_name": "RASPITE",
			"aliases": [
				"LeafMiner",
				"Raspite"
			],
			"source_name": "MISPGALAXY:RASPITE",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "649b5b3e-b16e-44db-91bc-ae80b825050e",
			"created_at": "2022-10-25T15:50:23.290412Z",
			"updated_at": "2026-04-10T02:00:05.257022Z",
			"deleted_at": null,
			"main_name": "Dragonfly",
			"aliases": [
				"TEMP.Isotope",
				"DYMALLOY",
				"Berserk Bear",
				"TG-4192",
				"Crouching Yeti",
				"IRON LIBERTY",
				"Energetic Bear",
				"Ghost Blizzard"
			],
			"source_name": "MITRE:Dragonfly",
			"tools": [
				"MCMD",
				"Impacket",
				"CrackMapExec",
				"Backdoor.Oldrea",
				"Mimikatz",
				"PsExec",
				"Trojan.Karagany",
				"netsh"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "1a76ed30-4daf-4817-98ae-87c667364464",
			"created_at": "2022-10-25T16:47:55.891029Z",
			"updated_at": "2026-04-10T02:00:03.646466Z",
			"deleted_at": null,
			"main_name": "IRON LIBERTY",
			"aliases": [
				"ALLANITE ",
				"ATK6 ",
				"BROMINE ",
				"CASTLE ",
				"Crouching Yeti ",
				"DYMALLOY ",
				"Dragonfly ",
				"Energetic Bear / Berserk Bear ",
				"Ghost Blizzard ",
				"TEMP.Isotope ",
				"TG-4192 "
			],
			"source_name": "Secureworks:IRON LIBERTY",
			"tools": [
				"ClientX",
				"Ddex Loader",
				"Havex",
				"Karagany",
				"Loek",
				"MCMD",
				"Sysmain",
				"xfrost"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "bee22874-f90e-410b-93f3-a2f9b1c2e695",
			"created_at": "2022-10-25T16:07:23.45097Z",
			"updated_at": "2026-04-10T02:00:04.610108Z",
			"deleted_at": null,
			"main_name": "Chafer",
			"aliases": [
				"APT 39",
				"Burgundy Sandstorm",
				"Cobalt Hickman",
				"G0087",
				"ITG07",
				"Radio Serpens",
				"Remix Kitten",
				"TA454"
			],
			"source_name": "ETDA:Chafer",
			"tools": [
				"ASPXSpy",
				"ASPXTool",
				"Antak",
				"CACHEMONEY",
				"EternalBlue",
				"HTTPTunnel",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"MechaFlounder",
				"Metasploit",
				"Mimikatz",
				"NBTscan",
				"NSSM",
				"Non-sucking Service Manager",
				"POWBAT",
				"Plink",
				"PuTTY Link",
				"Rana",
				"Remcom",
				"Remexi",
				"RemoteCommandExecution",
				"SafetyKatz",
				"UltraVNC",
				"WCE",
				"Windows Credential Editor",
				"Windows Credentials Editor",
				"nbtscan",
				"pwdump"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "ecff5c60-4f8b-4d7c-9784-f279eb056518",
			"created_at": "2022-10-25T15:50:23.49538Z",
			"updated_at": "2026-04-10T02:00:05.40672Z",
			"deleted_at": null,
			"main_name": "SilverTerrier",
			"aliases": [
				"SilverTerrier"
			],
			"source_name": "MITRE:SilverTerrier",
			"tools": [
				"NanoCore",
				"Agent Tesla",
				"NETWIRE",
				"DarkComet",
				"Lokibot"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad",
			"created_at": "2022-10-25T16:07:23.590051Z",
			"updated_at": "2026-04-10T02:00:04.679488Z",
			"deleted_at": null,
			"main_name": "Energetic Bear",
			"aliases": [
				"ATK 6",
				"Blue Kraken",
				"Crouching Yeti",
				"Dragonfly",
				"Electrum",
				"Energetic Bear",
				"G0035",
				"Ghost Blizzard",
				"Group 24",
				"ITG15",
				"Iron Liberty",
				"Koala Team",
				"TG-4192"
			],
			"source_name": "ETDA:Energetic Bear",
			"tools": [
				"Backdoor.Oldrea",
				"CRASHOVERRIDE",
				"Commix",
				"CrackMapExec",
				"CrashOverride",
				"Dirsearch",
				"Dorshel",
				"Fertger",
				"Fuerboos",
				"Goodor",
				"Havex",
				"Havex RAT",
				"Hello EK",
				"Heriplor",
				"Impacket",
				"Industroyer",
				"Karagany",
				"Karagny",
				"LightsOut 2.0",
				"LightsOut EK",
				"Listrix",
				"Oldrea",
				"PEACEPIPE",
				"PHPMailer",
				"PsExec",
				"SMBTrap",
				"Subbrute",
				"Sublist3r",
				"Sysmain",
				"Trojan.Karagany",
				"WSO",
				"Webshell by Orb",
				"Win32/Industroyer",
				"Wpscan",
				"nmap",
				"sqlmap",
				"xFrost"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "32c8c1a1-ae5c-4a05-a95d-2e970a46cd1e",
			"created_at": "2022-10-25T16:07:23.777999Z",
			"updated_at": "2026-04-10T02:00:04.747552Z",
			"deleted_at": null,
			"main_name": "Leafminer",
			"aliases": [
				"Flash Kitten",
				"G0077",
				"Leafminer",
				"Raspite"
			],
			"source_name": "ETDA:Leafminer",
			"tools": [
				"Imecab",
				"LaZagne",
				"Mimikatz",
				"PhpSpy",
				"Sorgu"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434626,
	"ts_updated_at": 1775826772,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f3a80fc787e92c2956cdf318b73cfbbae3d19ef0.pdf",
		"text": "https://archive.orkl.eu/f3a80fc787e92c2956cdf318b73cfbbae3d19ef0.txt",
		"img": "https://archive.orkl.eu/f3a80fc787e92c2956cdf318b73cfbbae3d19ef0.jpg"
	}
}