Kaspersky, one of the world’s top security firms, said today it discovered a new and never-before-seen hacker group that is currently targeting organizations from the Middle East industrial sector.
The security firm has named this group WildPressure and describes it as an APT (advanced persistent threat), a term normally used to describe nation-sponsored hacking operations.
The group’s primary weapon is a new C++ backdoor trojan that Kaspersky has named Milum, and which grants WildPressure operators complete control over an infected host.
Kaspersky experts say they’ve first discovered computers infected with Milum in August 2019, but they later found signs of past infections going as back as far as May 31, 2019.
An analysis of Milum’s code also confirmed that Milum was compiled two months before, in March 2019, which explains why Kaspersky wasn’t able to pick up older infections.
No shared code or victimology with any other operation
Furthermore, the same analysis also revealed Milum was made up of relatively new code, with no intersections or similarities to any other APT operation.
“Our Kaspersky Threat Attribution Engine (KTAE) doesn’t show any code similarities with known campaigns,” said Denis Legezo, a malware researcher for Kaspersky GReAT, the company’s elite hacker-hunting team.
“Nor have we seen any target intersections,” Legezo said. “In fact, we found just three almost unique samples, all in one country.”
That country is Iran, according to a screenshot that Kaspersky shared today, showing Iranian IP addresses connecting to a Milum command and control (C&C) server its researchers managed to sinkhole in September 2019.
This is not the first time that an APT group has targeted Iran in the past. The Stuxnet incident remains to this day one of the most infamous hacks in history — a joint operation carried out by the US and Israel to sabotage Iran’s nuclear capabilities.
Overall, cyber-espionage operations in the Middle East have been quite active over the past year as well. From the leak of Iran’s hacking tools to the deployment of new destructive data-wiping malware strains, there’s always something going on in the region, and in many incidents, attacks have targeted the local industrial sector, and especially the oil & gas fields.