The biggest data breaches and cyberattacks in the Middle East

The increasing pace of technology adoption In the Middle East, including deployment of remote-work tools and migration to the cloud, has made many enterprises operate more efficiently and opened up new markets. The downside: It has also made enterprises more vulnerable to cyberattacks.

Gulf countries in particular, including Saudi Arabia and the United Arab Emirates, are increasingly becoming the targets of sophisticated attacks that are aimed at stealing personal data and, in some cases, exposing state secrets as age-old geopolitical rivalries play out online.

Data breaches in the MENA region are known to be particularly costly affairs, with the average damage reaching $6.53 million, well above the global average incident cost of $3.86 million, according to a 2020 study by the Ponemon Institute and IBM Security.

Attacks against individuals also gained momentum, with the region experiencing 2.57 million phishing attacks between April and June of 2020 alone. This increase in phishing attacks is particularly concerning, as phishing emails are often a precursor to more damaging incidents such as ransomware attacks. 

“We did see a drop in the amount of successful ransomware attacks, where criminals failed to encrypt data. This is good news in the sense that more attacks are being detected and blocked before the final payload is deployed,” explains John Shier, senior research scientist at Sophos.  “However, we have also seen the rate of extortion increase in 2020, which means many criminals are still able to monetize their efforts by stealing data.”

In fact, 28% of the organizations in the Middle East that were hit by ransomware paid a ransom last year, according to Sophos’ latest report.

CIO Middle East has compiled a list of serious data breaches and cyberattacks reported in the region in recent years:

SolarWinds update opens gateway for cybercriminals

SolarWinds made global headlines at the end of 2020 as a group of cyberattackers believed to be Russia’s “Cozy Bear” gained access to government systems through a compromised update to SolarWinds’ Orion network monitoring software. 

In addition to government systems in the US and Europe, this software supply chain attack reportedly affected systems in the UAE and Israel, though victims were not directly identified. 

Supply chain attacks like the SolarWinds incident can be particularly difficult to flag and track as hackers use third-party software as gateways to breach critical systems and infrastructure. 

UAE: Police Data Sold Online

Security firm CloudSek flagged an alarming post in July 2020, indicating that the personal information of nearly 25,000 UAE police officers was listed for sale on a web database marketplace. While the source of the data remains unknown, the seller was requesting $500 for the entire dataset and had multiple samples to prove the data’s authenticity. 

The seller was also reportedly in possession of an Abu Dhabi police database with 31,878 files and 6 folders, according to CloudSek. Sample images indicated the data up for sale included personal information such as police officer’s mobile phone numbers, email addresses, and even physical addresses. 

Malicious Office docs target Arab countries

In January 2020, Cisco Talos disclosed the details of a new Remote Access Trojan (RAT), naming it “JhoneRAT.” The malware, dropped to the victims via malicious Microsoft Office documents, attempts to gather information on the target’s machine.

JhoneRAT, which was developed in Python, also tried to download additional payloads and upload the information gathered during the reconnaissance phase, Cisco said, while noting that the particular RAT was attempting to target a specific set of Arabic-speaking countries.

Cisco’s analysis revealed that the JhoneRAT targeted Saudi Arabia, Iraq, Egypt, Libya, Algeria, Morocco, Tunisia, Oman, Yemen, Syria, UAE, Kuwait, Bahrain and Lebanon.

Bahrain: Oil company faces breach

In January 2020, Saudi Arabian authorities reported that data-wiping malware dubbed “DUSTMAN” hit a regional enterprise, later reported to be Bapco, Bahrain’s national oil company. The malware was based on prior data-wipers that have been linked to Iran-based, nation-state actors.

DUSTMAN was “detonated” on Dec. 29 2019, according to Saudi Arabia’s National Cybersecurity Authority (NCSC). The NCSC did not specify the DUSTMAN target, but ZDNet reported the following week that it was Bapco, citing multiple sources.

DUSTMAN has different characteristics than other Iran-linked malware that has been observed through the years, but there are similarities.  For example, “Shamoon” malware variants, also linked to Iran, use the same third-party driver, “Eldos RawDisk,” according to the NCSC. And Shamoon bears similarities to ZeroCleare, another data-wiper linked to Iran, according to IBM’s X-Force security intelligence service.

Phishing scam targets MENA policy makers

Phishing attacks in the MENA soared by 600% in the first quarter of 2020, according to a report by the Dubai Future Foundation. While many of these scam communications played on fears related to the pandemic, security firm Cybereason reported an apparent espionage campaign targeting Middle East political leaders as well. 

The attack relied on an advanced persistent threat (APT) known as Molerats, a part of the politically motivated hacker group The Gaza Cybergang. Researcher say this group has been in operation since 2012, and uses politically-themed emails to attempt to trick leaders in the UAE, Egypt, Turkey, and the Palestinian Territories. 

Government-affiliated entities in Kuwait and KSA targeted

According to reports by security firm Bitdefender in May 2020, air transport and government agencies in Kuwait and Saudi Arabia were targeted, likely in an attempt to explore and exfiltrate sensitive data. Chafer, the hacking group most likely responsible for the attacks, are believed to have ties to Iran. 

The group used a variety of tools, according to the Bitdefender report, including ‘living off the land tools’ – legitimate applications used by hackers for their own criminal agenda. While the victimized organizations were not identified, the first signs of the Kuwait attack date back to 2018.

Phosphorus targets tech conferences

Iranian-based group Phosphorus reportedly targeted two major international tech conferences this last October, according to a blog released by Microsoft after the Microsoft Threat Intelligence Center (MSTIC) flagged unusual activity. The Munich Security Conference and the Think 20 (T20) Summit in Saudi Arabia were both said to have been victims of the campaign.

Attendees of the T20, an annual event that aims to inform policy-making efforts for the G20 nations, received spoofed invitations to the event via email. While the emails were written in perfect English and appeared legitimate, they were exposed to be phishing emails designed to collect sensitive data. 

According to Microsoft’s Digital Defense Report, nation-state cyberattackers frequently target “think tanks, policy organizations, and governmental and non-governmental organizations” in order to collect data. Microsoft informed the event organizers and worked in tandem to warn attendees and prevent further attacks.

Kuwait: Malware hits transport, shipping

Previously unknown hacking tools targeted transportation and shipping organizations based in Kuwait between May and June 2018, according to Unit 42, the global threat intelligence team at Palo Alto Networks.

The cyberattack campaign was likely related to activity also targeting Kuwait between July and December 2018, which was reported by IBM X-Force IRIS.

The researchers found that malicious actors deployed a backdoor tool called Hisoka version 0.8, as well as other malware that appear to have been created by the same developer or developers. Other backdoor tools found by Unit 42 were called Sakabota, Hisoka, Netero and Killua.

The hackers also deployed malware called Gon, which grants access to open ports on remote systems, with the ability to upload files, download files, take screengrabs, run commands, and also create an RDP (remote desktop protocol) function. In essence, every action on the infected system can be monitored and all files can be stolen without alerting the infected company.

Israel: PM Netanyahu personal travel data exposed by hacker

On May 20, 2019, Spanish travel portal Amadeus said in a statement that a system used by its businesses in Israel had been victim to “an illegal and unauthorised access to flight itinerary data”.

The data breach exposed the flight itineraries and details of high-ranking Israeli officials, including Prime Minister Benjamin Netanyahu and his family. The leaked database also contained data about 36 million booked flights, 15 million passengers, 700,000 visa applications and over 1 million hotel bookings. Email addresses through which the flights and hotels were booked could also be accessed.

“This mass data is accessible to everyone and is especially sensitive since it contains information about senior government and defense establishment officials, who use the services of travel agencies that employ this system,” the hacker who carried out the attack, and who wished to remain anonymous, told Israeli daily Haaretz.

They explained that they only had to type ‘Netanyahu’ on the search box to find data about him and his family.

Apparently there was no criminal motivation for the leak. The travel business added in its statement that they are investigating the breach but there was “no evidence to suggest that the data has been accessed by anyone other than the security researcher who reported his findings to the Israeli authorities.”

Saudi Arabia: White-hat hackers infiltrate Dalil

Dalil, a popular communications app in Saudi Arabia and the biggest phone directory in the kingdom, suffered a data breach in Mrach 2019 affecting more than 5 million users.

The breach in the company’s database was discovered by a team of researchers from privacy website vpnMentor. They also found out that all the user data gathered by the app was stored in an unsecured and unmonitored MongoDB database. 

White-hat hackers were able to access millions of customer data without the need or authentication, evidence of the weakness of the company’s data security and privacy measures.

UAE: Careem suffers breach

Careem, a popular ride-hailing start-up in the Middle East soon to be acquired by Uber — until then its main competitor in the region — suffered a thorny data breach in January 2018.

Personal data belonging to the start-up’s clients, including customers’ names, email addresses, phone numbers and trip data, was stolen by hackers. 

Although the Dubai-based company said that it had seen “no evidence of fraud or misuse related to this incident,” it also advised users to strengthen account passwords and to monitor bank statements for suspicious activity.

Careem explained that customers’ credit card data is stored on an external third-party PCI-compliant server, and thus wasn’t affected by the breach.

According to Reuters, when the cyberattack occurred the ride-hailing app had 14 million customers and 558,000 drivers (called ‘captains’) operating in the network across 78 cities in the region. Customers and riders who signed up after 14 January, when the incident took place, were not affected, the company said in a statement. 

Lebanon: Lebanese expats’ personal data exposed abroad

A few months before Lebanon’s general elections in May 2018, Lebanese embassies in the UEA and the Netherlands exposed personal data of Lebanese citizens living abroad, making it accessible to unauthorised users and third parties.

In the UAE, embassy officials sent an email to Lebanese nationals living in the country with an attached spreadsheet including personal details of more than 5,000 Lebanese citizens who had registered to vote in the elections.

A similar email with a spreadsheet containing personal information of Lebanese registered voters in the Netherlands was sent by the local embassy to more than 200 recipients.

According to the NGO, personal information in the UAE and Netherlands spreadsheets included voters’ full name, parents’ names, sex, date of birth, religion, marital status, and address.

The data fiasco happened shortly after the Lebanese Ministry of Foreign Affairs and Emigrants (MFA) had been using cookies to track more than 90,000 users who used the ministry’s website to register to vote online.

Turkey: Government database hacked

In April 2016, personal data — including full names, address, national ID number, parents’ full names and date of birth — belonging to about 50 million Turkish citizens (two thirds of the country’s population) was leaked and posted online on a website called the Turkish Citizenship Database.

Transport and Communication Minister Binali Yildirim confirmed at the time that the breach appeared to date back to at least 2010. He added that the information was taken from electoral records that the government shares with political parties prior to elections. However, Tuncay Besikci, a computer forensics expert at consultancy firm PwC, told Reuters “he believed the data was taken from the government’s official Population Governance Central Database in or around 2009 and later illegally sold on to firms that dealt in asset foreclosures.”

Qatar: QNB sees sensitive financial details published online

In April 2016, Qatar National Bank (QNB), one of the largest financial institutions in the MENA region, was hit by a severe cyberattack which revealed names, PINs and passwords of a large number of customers. The leaked data was posted online to the freedom-of-expression website Cryptome.

Doha News reported that the breached information also included internal corporate files and the bank details, telephone numbers and dates of birth of a number of Al-Jazeera journalists, supposed members of the ruling al-Thani family, and government and defence officials.

Although the authenticity of all of the leaked data couldn’t be verified, a number of well-known Qatari government and media personalities told Reuters that their account details published online were correct.   

(Additional reporting by John benny and Annie Bricker.)