Iraq’s civil war now has a cyber-component, with researchers encountering increased cyber-espionage tools and custom malware.
Recent reports have focused on the Islamic State of Iraq and al-Sham (ISIS) group’s expansion in northern Iraq and the members’ extensive use of social media to spread propaganda messages. There also appears to be a sharp increase in malware and botnet activity, primarily concentrated in Baghdad, Erbil, Basra, and Mosul, according to a new report from IntelCrawler.
Some of the malware contained strings to suggest the cyber-attacks are religiously and politically motivated, the threat intelligence firm found.
“The increased activity correlates with other geopolitical conflicts where state-sponsored activities in cyberspace try to affect outcomes on the ground,” IntelCrawler said over the weekend.
Researchers uncovered a large pool of Remote Administration Toolkits using Secure Sockets (SOCKS) and FTP/HTTP BackConnect with embedded file system browser. These RATs are “masked under Google Chrome and publicly available software” and used to remotely monitor infected victims, IntelCrawler said. The malware can intercept various pieces of data from infected systems and transmit them to servers controlled by the attackers.
The majority of the malicious domain names used in the command-and-control infrastructure were registered using free public DNS providers. The IP addresses resolved to various regional ISPs in Iraq, such as GORANNET, IQ-EARTHLINK, IQNETWORKS, IQ-NEWROZ and IQ-TARINNET. There were several domains using zapato.org and no-ip.biz, which were also observed in cyber-attacks in Syria.
“Several new botnets using dynamic DNS have been detected, which might have been used for cyber espionage and targeted multi-staged cyber attacks,” IntelCrawler said.
Attackers appear to also be targeting home router connections in Iraq in order to monitor network traffic and Internet surveillance, IntelCrawler said. “Significant numbers” of SOHO-routers with IP addresses in Iraq’s IPv4 range have been compromised, either by brute-forcing passwords or by mass exploitation of unpatched vulnerabilities in the UPnP protocol, researchers said.
Much of the malware appears to be custom and not off-the-shelf mass malware, and were previously seen in attacks targeting Syrian opposition groups in the Syrian civil war, according to the researchers. ISIS also played a key role in Syria, making it likely the group is reusing its cyber capabilities in Iraq.
“The share of Iraqi-based bad actors involved into various illegal activities in cyberspace acting as mercenaries seems to have significantly increased,” IntelCrawler said. They appear to have ties to other groups from Egypt, Lybia, Lebanon, Iran, and Syria.
