By Alexander Badaev, Information security threat researcher, Positive Technologies Expert Security Center and Yana Avezova, Senior Research Analyst, Positive Technologies

In cybersecurity, “vulnerability” typically evokes concern. One actively searches for it and patches it up to build robust defenses against potential attacks. Picture a carefully orchestrated robbery, where a group of skilled criminals thoroughly examines a building’s structure, spots vulnerabilities, and crafts a step-by-step plan to breach security and steal valuables. This analogy perfectly describes the modus operandi of cybercriminals, with the “kill chain” acting as their detailed blueprint.

In a recent study, analysts from Positive Technologies gathered information on 16 hacker groups attacking the Middle East analyzing their techniques and tactics. It is worth noting that most of the threats in Middle Eastern countries come from groups believed to be linked to Iran—groups such as APT35/Charming Kitten or APT34/Helix Kitten. Let’s see how APT groups operate, how they initiate attacks, and how they develop them toward their intended targets.

Step 1: The Genesis of Intrusion (Attack preparation)

It all begins with meticulous planning and reconnaissance. APT groups leave no stone unturned in their quest for vulnerable targets. They compile lists of public systems with known vulnerabilities and gather employee information. For instance, groups like APT35 aka Charming Kitten known for targeting mainly Saudi Arabia and Israel, gather information about employees of target organizations, including mobile phone numbers, which they leverage for nefarious purposes like sending malicious links disguised as legitimate messages. After reconnaissance, they prepare tools for attacks, such as registering fake domains and creating email or social media accounts for spear phishing. For example, APT35 registers accounts on LinkedIn and other social networks to contact victims, persuading them through messages and voice calls to open malicious links.

Step 2: The Initial Access: Gaining a Foothold

Once armed with intelligence, cybercriminals proceed to gain initial access to their target’s network.  Phishing campaigns, often masquerading as legitimate emails, serve as the primary means of infiltration. An example is the Desert Falcons group, observed spreading their malware through pornographic phishing. Notably, some groups go beyond traditional email phishing, utilizing social networks and messaging platforms to lure unsuspecting victims, as seen with APT35, Bahamut, Dark Caracal, and OilRig. Moreover, techniques like the watering hole method, where attackers compromise trusted websites frequented by their targets, further highlight the sophistication of these operations. Additionally, attackers exploit vulnerabilities in resources accessible on the internet to gain access to internal infrastructure. For example, APT35 and Moses Staff exploited ProxyShell vulnerabilities on Microsoft Exchange servers.

Step 3: Establishing Persistence: The Art of Concealment

Having breached the perimeter, APT groups strive to establish a foothold within the victim’s infrastructure, ensuring prolonged access and control. This involves deploying techniques such as task scheduling, as seen in the campaign against the UAE government by the OilRig group, which created a scheduled task triggering malicious software every five minutes. Additionally, many malicious actors set up malware autostart, like the Bahamut group creating LNK files in the startup folder or Dark Caracal’s Bandook trojan. Some APT groups, such as APT33, Mustang Panda, and Stealth Falcon, establish themselves in victim infrastructures by creating subscriptions to WMI events for event-triggered execution. Furthermore, attackers exploit vulnerabilities in server applications to install malicious components like web shells, which provide a backdoor for remote access and data exfiltration.

Step 4: Unraveling the Network: Internal Reconnaissance

After breaking in, APT groups don’t just sit there. They explore the system like a thief casing a house to find valuables and escape routes. This digital reconnaissance involves several steps. First, they perform an inventory check, identifying the computer’s operating system, installed programs, and updates, like figuring out a house’s security measures. For instance, APT35 might use a simple command to see if the computer is a powerful 64-bit system, capable of handling more complex tasks. Second, they map the network layout, akin to identifying valuable items and escape routes. APT groups might use basic tools like “ipconfig” and “arp” (like Mustang Panda) to see how devices are connected and communicate. They also search for user accounts and activity levels, understanding who lives in the house (figuratively) and their routines. Malicious tools, like the Caterpillar web shell used by Volatile Cedar, can list all usernames on the system. Examining running programs is another tactic, like checking for security guards. Built-in commands like “tasklist” (used by APT15 and OilRig) can reveal a list of programs currently running.

Finally, APT groups might deploy programs that hunt for secrets hidden within files and folders, like searching for hidden safes or documents. The MuddyWater group, for example, used malware that specifically checked for directories or files containing keywords related to antivirus software. By gathering this comprehensive intel, APT groups can craft targeted attacks, steal sensitive data like financial records or personal information, or exploit vulnerabilities in the system to cause even more damage.
Step 5: Harvesting Credentials: Unlocking the Vault

Access to privileged credentials is the holy grail for cyber attackers, granting them unrestricted access to critical systems and data. One common tactic is “credential dumping,” where tools like Mimikatz (used by APT15, APT33, and others) snatch passwords directly from a system’s memory, similar to stealing a key left under a doormat. Keyloggers, used by APT35 and Bahamut for example, acts like a hidden camera, silently recording keystrokes to capture usernames and passwords as victims type them in.

These stolen credentials grant access to even more sensitive areas. APT groups also exploit weaknesses in how passwords are stored. For instance, some target the Windows Credential Manager (like stealing a notepad with written down passwords). Brute-force attacks, trying millions of combinations, can crack weak passwords. Even encrypted passwords can be vulnerable if attackers have specialized tools. By employing these tactics, APT groups bypass initial security and access sensitive information or critical systems.

Step 6: Data Extraction: The Quest for Valuable Assets

Once inside, APT groups aren’t shy about snooping around. They leverage stolen credentials to capture screenshots, record audio and video (like hidden cameras and microphones), or directly steal sensitive files and databases. For instance, the Dark Caracal group employed Bandook malware, which can capture video from webcams and audio from microphones. This stolen data becomes their loot.

To ensure a smooth getaway, APT groups often employ encryption and archiving techniques. Imagine them hiding their stolen treasure chests—the Mustang Panda group, for example, encrypted files with RC4 and compressed them with password protection before shipping them out. This makes it difficult for defenders to identify suspicious activity amongst regular network traffic.

Step 7: Communication Channels: Establishing Control

APT groups rely on hidden communication channels with command-and-control (C2) servers to control infected machines and exfiltrate data. They employ various tactics to blend in with regular network traffic. This includes using common protocols (like IRC or DNS requests disguised as legitimate web traffic) and encrypting communication for further stealth.

However, some groups take it a step further. For instance, OilRig used compromised email servers to send control messages hidden within emails and then deleted them, making their C2 channel nearly invisible. These innovative techniques make it difficult for security measures to detect malicious activity, highlighting the importance of staying informed about evolving APT tactics.

Step 8: Covering Tracks: Erasing Digital Footprints

As the operation ends, APT groups meticulously cover their tracks to evade detection and prolong their presence in the compromised environment. Techniques like file obfuscation, masquerading, and indicator removal are employed to erase digital footprints and thwart forensic investigations. For example, the Bahamut group used icons mimicking Microsoft Office files to disguise malware, and the OilRig group used .doc file extensions to make malware appear as office documents. The Moses Staff group named their StrifeWater malware calc.exe to make it look like a legitimate calculator program.

To further bypass defenses, attackers often proxy the execution of malicious commands using files signed with trusted digital certificates. The APT35 group used the rundll32.exe file to execute the MiniDump function from the comsvcs.dll system library when dumping the LSASS process memory. Meanwhile, the Dark Caracal group employed a Microsoft Compiled HTML Help file to download and execute malicious files. Many APT groups also remove signs of their activity by clearing event logs and network connection histories, and changing timestamps. For instance, APT35 deleted mailbox export requests from compromised Microsoft Exchange servers. This meticulous cleaning makes it much more difficult for cybersecurity professionals to conduct post-incident investigations, as attackers often remove their arsenal of software from compromised devices after achieving their goals.

Conclusion: A Call to Vigilance

In a nutshell, the threat landscape in the Middle East is fraught with peril, as APT groups continue to refine their tactics and techniques to evade detection and wreak havoc on unsuspecting organizations. By understanding the anatomy of cyber intrusions and remaining vigilant against emerging threats, organizations can bolster their defenses and mitigate the risks posed by these sophisticated adversaries. Together, let us remain steadfast in our commitment to safeguarding the digital frontier against cyber threats.

By Saeed Alajou, Senior Sales Director, Enterprise Business

With the increasing dominance of technological advancements in the current era, the global retail industry is witnessing a massive shift in its operations. As the industry embraces a varied range of cutting-edge technologies such as artificial intelligence (AI) and big data analytics, it is redefining customer expectations and the conventional concepts of business operations. According to recent studies, The global artificial intelligence (AI) in retail market size is projected to grow from $9.36 billion in 2024 to $85.07 billion by 2032, at a CAGR of 31.8% from 2024 to 2032. This transformative wave is compelling companies to harness the potential of these cutting-edge technologies to maintain their competitive edge.

One of the most evident trends in this era is the convergence of eCommerce, AI and data analytics, which is driving the evolution of the retail landscape worldwide. In the current omnichannel retail landscape, consumers expect consistency and continuity across various touchpoints, pushing industry players to integrate conversational AI. This integration ensures a seamless experience; for example, customers can begin a conversation with a chatbot while browsing online and effortlessly continue it via a mobile app when they visit a physical store.

However, the potential of the omnichannel approach and conversational AI platforms is not limited to supporting customers. They also provide retailers with valuable insights into customer behaviour across different channels. Conversational AI platforms can generate a vast amount of data from customer interactions, offering retailers valuable insights into consumer preferences, trends, and pain points. By analysing this data, retailers can uncover patterns, identify emerging trends, and optimise their product offerings and marketing strategies accordingly.

Furthermore, AI-driven analytics enable retailers to gauge customer sentiment, allowing them to address issues and enhance satisfaction proactively. These data-driven insights empower retailers to make informed decisions and stay ahead of the curve. Reflecting the vast potential of AI, the retail sector in the Middle East is rapidly adopting this technology, becoming a leading industry in AI investment. Reports indicate that AI spending in the Middle East and Africa (MEA) reached USD 3 billion and is expected to grow to USD 6.4 billion by 2026, with a compound annual growth rate (CAGR) of 29.7 per cent.

The innovation of chatbots and virtual assistants has accelerated the integration of AI technologies in retail, revolutionising customer interactions by adding a human-like touch to digital engagements. These tools enhance the purchasing journey, making it more intuitive and responsive, providing customised and real-time recommendations based on consumer sentiment. However, retailers need to manage expectations of scalability and ensure AI complements rather than replaces human interactions.

Furthermore, integrating big data into retail operations helps understand customer behaviour and preferences. Retailers can leverage vast amounts of data to gain insights into customer needs and tailor their offerings accordingly. By analysing customer-generated data, businesses can conduct predictive analysis to anticipate trends and make informed decisions, keeping them ahead of the curve in offering products and services that resonate with their target audience.

When it comes to the impact of AI integration in the retail sector, one key segment where it is significantly visible is the supply chain. By integrating big data analytics, retailers are achieving more efficiency in their supply chain operations. Predictive analytics powered by AI aids in forecasting demand, optimising inventory levels, reducing waste, and ensuring products are available when and where customers need them. This enhances operational efficiency and customer satisfaction by minimising stockouts and delays.

AI integration supports a customer-centric approach in retail, and it positions technology as a key facilitator in meeting customer demand. Advanced technologies can identify and replicate demographic needs and pinpoint where investment is required to add value. The integration of various AI tools including price-matching technologies, pay-per-click advertising optimisation, and predictive analytics, aids the retailers in focusing on perfecting the customer journey, ensuring a seamless and enjoyable experience from the start to finish.

Although AI is widely embraced across the industry regardless of company size, delivering the best customer service requires empowering employees with the right tools and knowledge. When employees are equipped with AI-driven insights, they can provide more personalised and efficient service, enhancing the overall customer experience. This empowerment also promotes a culture of innovation and continuous improvement within the organization.

Additionally, data integration and integrity are crucial for the effectiveness of AI and big data. Retailers must implement systems that can integrate data from various sources, ensuring that all information is accurate, consistent, and up to date. This collaborative approach allows retailers to offer a unified brand experience across all channels while maintaining data boundaries and complying with privacy regulations.

This widespread adoption of AI technologies in the industry underscores the importance of establishing a robust and adaptable regulatory framework. Given the growing concerns about data privacy and ethical use, retailers must ensure responsible and secure handling of customer data. Stagnant regulations can lead to compliance issues and erode customer trust, and this necessitates current and customer-aligned regulations to maintain a trustworthy data environment.

Another challenge in AI integration is utilising AI and big data to experiment with new ideas and strategies. In retail, embracing calculated risks is crucial for innovation and growth, viewing risks as learning opportunities. Being responsive to evolving customer needs allows retailers to navigate uncertainties and capitalise on opportunities for success.

With AI projected to contribute up to USD 320 billion to the Middle East’s economy by 2030, the region is increasing its investment in technology. This emphasises the need for a holistic approach in retail, integrating AI, big data, and a customer-centric mindset to thrive in the market. The industry players can maintain their competitive edge by focusing on efficiency in supply chain operations, understanding consumer behaviour, and empowering employees.

By Chuan Chuan (Winter) Leng, ICT Specialist and Senior Technical Manager, Hytera

The Middle East, a region renowned for its technological advancements, has long been an early adopter of new technologies, including mission-critical communications (MCC). In particular, they have been quick to deploy the latest 3GPP-based broadband technology, known as mission-critical services (MCX).

MCC used to be dominated by narrowband land mobile radio (LMR) solutions such as TETRA, P25, and DMR. Increasingly more users, such as the police, equipped with LMR systems have been publicizing RFI of interconnecting narrowband LMR networks with the newer 4G/5G broadband MCC systems.

A good illustration of this is the FIFA World Cup 2022 in Qatar, where the organizers implemented a hybrid network, which integrated both narrowband TETRA and broadband push-to-talk (PTT) technologies.

“Following the success of the 2022 FIFA World Cup, more Middle Eastern countries are now implementing broadband PTT technologies. For example, Abu Dhabi has set up a private 4G LTE network using 700MHz spectrum for its Smart/Safe City project, which has been recently updated to 5G to support advanced broadband MCC applications. Meanwhile, the Qatar Ministry of lnterior has completed the upgrade of its mission-critical capabilities and is rolling out a full range of MC services. Saudi Arabia is currently in the process of assigning broadband spectrum for public safety use,” said Jonson Wang, Product Marketing Manager of Hytera MEA.

The need for converged networks is increasing

Mahinsha Backer, the Asst. General Manager of Zener Marine Services, a much-acclaimed MCC solution distributor in the region, predicted that broadband MCX will dominate the future MCC market, but not as a replacement for traditional technologies. Rather, MCX will be deployed as an enhancement or unified solution ensuring redundancy in communication systems with broadband media capabilities.

Public safety agencies in the Middle East currently rely heavily on LMR systems due to their proven reliability and security. Despite the fact that more countries are beginning the transition to broadband technologies, TETRA systems will continue to coexist with LTE networks for a long time for technical and economic reasons.

Several countries in the region traditionally rely on mature TETRA and P25 networks, according to Ildefonso de la Cruz, principal analyst in the Public Safety & Critical Communications group at Omdia. In addition, Ildefonso also pointed out that new TETRA networks have been deployed to address the needs of sports as well as tourism-related contracts in Bahrain, UAE, and Saudi Arabia, including deployments in the F1 Grand Prix in Abu Dhabi and Bahrain, as well as mission-critical solutions for the Hajj pilgrimage in Saudi Arabia.

Given the continuing deployment of LMR networks, the market needs to find a way to integrate these different technologies to deliver improved MCC services to its customers. This requires a unified, standards-based approach to tightly integrate LMR and LTE networks.

Thanks to the collaborative efforts of 3GPP, ETSI, and TCCA, particularly in the realm of MCX and the interworking function (IWF), it is expected that the majority of countries will embrace these standard-based approaches. This will pave the way for truly unified, fully interoperable MCC services.

Hybrid-mode devices, also known as converged devices, have already proven their value in the market. These devices are purposely designed to operate on both TETRA and LTE networks, ensuring uninterrupted communications for responders and paving the way for a seamless transition to broadband. Vendors active in the Middle East, like Hytera, offer a variety of hybrid-mode devices, such as the PTC760.

Control rooms move towards next-generation intelligent operation

Control rooms are becoming more intelligent, which is enabling public safety agencies to make a paradigm shift from reactive to proactive operations. Better quality intelligence delivered in near-real or real time enables public safety agencies to make more accurate predictions about outcomes, better-informed decision-making, and a more targeted allocation of resources.

A unified communications platform with a hybrid dispatch console capable of integrating multiple technologies such as LTE, TETRA and more, will ensure seamless connectivity among agencies to support the instantaneous exchange of information and enable a properly coordinated response.

Modern responders are equipped with a range of advanced devices, including smartphones, radios, and body cameras, which enable real-time interaction with dispatchers using built-in communication and location tools. By incorporating advanced intelligence data from the control room and leveraging these new tools, responders can carry out operations more swiftly, flexibly, and accurately, thereby enhancing their overall effectiveness.

Pioneering companies in the industry have showcased their expertise in delivering intelligent-centric command, control, and coordination solutions in the global market. By leveraging their capabilities, intelligence-enabled command centers are poised to play a crucial role in the next-generation of public safety operations in the region.

Advanced video surveillance, along with real-time and historical intelligence analytics can be deployed to accurately forecast threats and rapidly implement robust preventive protection measures for effectively handling anticipated or ongoing incidents and emergencies.

Next-generation Computer-Aided Dispatch (CAD) systems enable agencies to strategically deploy resources, initiate early intervention, and implement measures that deter or minimize the impact of potential threats, thereby improving response outcomes.

Telecom operators carve out a slice of the MCC market

With the ongoing expansion of broadband services in the Middle East, LTE and 5G NR mobile networks are gaining recognition as alternative platforms for providing push-to-talk (PTT) and multimedia services.

Mobile network operators (MNO) like STC in Saudi Arabia, Vodafone and Ooredoo in Qatar, and Omantel in Oman have been playing an increasingly important role in the market by introducing broadband PTT services for public safety and industrial users in recent years.

These operators leverage their extensive network coverage to provide comprehensive broadband PTT solutions that integrate devices, services, and traffic into a single package. This approach offers several benefits, including reducing network maintenance and construction costs for their customers.

Furthermore, these operators are utilizing their network assurance and maintenance expertise to actively support the delivery of large-scale events and activities. An example of this is Vodafone’s involvement in providing broadband PTT services for the volunteers at the 2022 FIFA World Cup in Qatar.