A hacking group with ties to Iran, known as the Crambus espionage group, executed an extensive intrusion into the computer systems of a Middle Eastern government.

The espionage group’s intrusion spanned an eight-month period from February to September 2023.

The cyber attackers employed a range of tactics during the operation, including the theft of sensitive files and passwords, Symantec revealed.

The perpetrators introduced a PowerShell backdoor called PowerExchange in one instance, providing them with the ability to not only monitor but also execute commands through email messages, surreptitiously forwarded from an Exchange Server. The campaign impacted a minimum of 12 computers, with strong indications pointing toward the deployment of backdoors and keyloggers on numerous other systems.

Evidence has also emerged suggesting that the attackers went as far as modifying Windows firewall rules to enable remote access, demonstrating their resourcefulness.

The Crambus espionage group has long been associated with espionage operations in multiple countries, including Saudi Arabia, Israel, the United Arab Emirates, Iraq, Jordan, Lebanon, Kuwait, Qatar, Albania, the United States, and Turkey.

The group is recognized for its prolonged intrusions, primarily focused on intelligence gathering and espionage. In recent times, they have incorporated a substantial social engineering component into the initial stages of their cyber-attacks.

The activities of the group over the past two years indicate that they pose a continuous threat to the Middle East and beyond.

The United States government had previously attributed the group to the Ministry of Intelligence of the Islamic Republic.