Names | Operation Parliament (Kaspersky) | |
Country | [Unknown] | |
Motivation | Information theft and espionage | |
First seen | 2017 | |
Description | (Kaspersky) Based on our findings, we believe the attackers represent a previously unknown geopolitically motivated threat actor. The campaign started in 2017, with the attackers doing just enough to achieve their goals. They most likely have access to additional tools when needed and appear to have access to an elaborate database of contacts in sensitive organizations and personnel worldwide, especially of vulnerable and non-trained staff. The victim systems range from personal desktop or laptop systems to large servers with domain controller roles or similar. The nature of the targeted ministries varied, including those responsible for telecommunications, health, energy, justice, finance and so on. Operation Parliament appears to be another symptom of escalating tensions in the Middle East region. The attackers have taken great care to stay under the radar, imitating another attack group in the region. They have been particularly careful to verify victim devices before proceeding with the infection, safeguarding their command and control servers. The targeting seems to have slowed down since the beginning of 2018, probably winding down when the desired data or access was obtained. The targeting of specific victims is unlike previously seen behavior in regional campaigns by Gaza Cybergang or Desert Falcons and points to an elaborate information-gathering exercise that was carried out before the attacks (physical and/or digital). With deception and false flags increasingly being employed by threat actors, attribution is a hard and complicated task that requires solid evidence, especially in complex regions such as the Middle East. An overlap has been found between Operation Parliament and Molerats, Extreme Jackal, Gaza Cybergang. | |
Observed | Sectors: Defense, Education, Energy, Financial, Government, Healthcare, Media, Research, Shipping and Logistics, Telecommunications and Sports. Countries: Afghanistan, Canada, Chile, Denmark, Djibouti, Egypt, Germany, India, Iran, Iraq, Israel, Jordan, Kuwait, Lebanon, Morocco, Oman, Palestine, Qatar, Russia, Saudi Arabia, Serbia, Somalia, South Korea, Syria, UAE, UK, USA. | |
Tools used | Remote CMD/PowerShell terminal. | |
Information | <https://securelist.com/operation-parliament-who-is-doing-what/85237/> <https://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html> |
Last change to this card: 15 April 2020
Download this actor card in PDF or JSON format
Previous: Operation Olympic Games
Next: Operation Poisoned News, TwoSail Junk
Digital Service Security Center Follow us on |
Report incidents |
|
+66 (0)2-123-1227 | ||
[email protected] |