[Region Analysis_January] Dark Web Cyber-attacks targeting MENA region(English ver.)

Author: Sunhyung Shim, Jaehak Oh | S2W Marketing

Photo by Clint Patterson on Unsplash
Author’s Introduction:

This report conducts an in-depth analysis of cyberattacks directed towards the *MENA (Middle East and North Africa) region. It offers comprehensive insights into the data extracted from dark web hacking forums, ransomware-related incidents, and messages sourced from Telegram hacking channels operated by diverse threat actors.

The report commences by presenting key highlights, including details on the most frequently targeted country within the MENA region, the significant surge in damages observed from 2022 to 2023, the nation with the highest ransomware-related damages, and the industries that have been prominently targeted. Subsequently, it delves into a thorough examination of these critical findings, providing a deeper understanding of the points previously outlined.

We hope you find this report useful, and please find below contact upon any queries.

Homepage | Linkedin | Facebook
Email: [email protected]

*MENA countries are as below. The source is from the Britannica Encyclopedia.
<Türkiye, Syria, Israel, Palestine, Jordan, Iraq, Iran, Afghanistan, Kuwait, Bahrain, Qatar, UAE, Saudi Arabia, Yemen, Oman, Egypt, Sudan, and Libya>,

Executive Summary

The Facts in 2023

  • Türkiye was the most frequently mentioned country in the MENA region within the dark web (hacking forums + ransomware), and it experienced significant damages in proportion to its mentions, including data breaches and account leaks.
  • Examples of mentions related to the country include instances of data breaches and declarations of cyberattacks against that country.
  • When comparing ’23 to ’22, Israel saw the most significant increase in damages from cyberattacks, likely as a result of the escalation of cyber warfare amid the Israel-Palestine conflict.
  • The MENA countries with the largest ransomware damages were UAE, followed by Türkiye and Israel, with these three nations accounting for approximately 70% of the total MENA damages from ransomware.
  • The telecommunication industry in MENA experienced a notably higher proportion of damages compared to other regions. This is particularly attributed to the significant impact of cyberattacks on major telecommunication companies in Israel.

Cyberattack damage trends in MENA countries (‘21–’23)

MENA region country’s data leak distribution within dark web
<(Left) Distribution of data leaks, (Right) Data leak comparison by year>
  • Türkiye has been the country most affected by cyberattacks on the dark web in the past two years, with Israel experiencing the highest increase in cyberattack damages from the previous year.

Concentration of cyber damages by country & industry

  • The proportion of data leaks in the ‘financial’ industry was highest in Türkiye across the entire MENA region.
  • Examples:
    1) ‘Akbank’ breach, one of the largest banks in Türkiye,
    2) ‘TEB’ breach, the oldest bank in Türkiye.
  • Data leaks from ‘Government/Military’ entities were the most frequent cyber leaks in the MENA region, particularly in Iraq and Saudi Arabia, where government agency leaks accounted for approximately 70% and 52% of all leaks, respectively.
  • Iraq example:
    Ministry of Interior, National Security, Prime Minister Office, voter database, etc.
  • KSA example:
    Ministry of Foreign Affairs, 9k accounts leak from Ministry of Education, etc.

Concentration of damages by industry in nearby regions

  • The telecommunication industry in MENA stands out as the most significant sector compared to other nearby regions. A significant number of data leak incidents have been attributed to the exposure of personal information of users subscribed to telecom services.
    Notably, data leaks from major Israeli telecom providers such as ‘CellCom’ and ‘Bezeq’ have had a significant impact on the overall telecom data leaks within the MENA region.

Examples of the telecommunication industry’s data leak

  • In October-November 2023, Israel’s largest telecom companies, ‘Cellcom’ and ‘Bezeq,’ experienced a cyberattack from the hacking group ‘SiegedSec.’ During the attack, internal data and personal information of telecom subscribers were compromised. The extent of the damage included approximately 50,000 individuals’ personal information for Cellcom and around 180,000 individuals’ personal information for Bezeq.
<Who is SiegedSec?><Message trends of ‘Cellcom’ and ‘Bezeq’ leaks within Telegram>
  • The data leaks of ‘Cellcom’ and ‘Bezeq’ within dark web hacking forums have had an impact on threat actors active on Telegram.
  • Following the data leaks of ‘Cellcom’ and ‘Bezeq’ within the dark web, threat actors have been observed sharing the leaked data for free on Telegram. They have also mentioned engaging in activities such as launching DDoS attacks on the affected companies’ DNS servers, and these actions are reported to continue until 2024.
  • A total of 24 hacking groups have mentioned the affected companies, with the most active group being referred to as the ‘Anonymous Collective.’
<’Cellcom’ and ‘Bezeq’ data leaks posted by ‘Anonymous Collective’>
  • Apart from Israel, it has been frequently observed that the personal information of telecommunications companies’ subscribers in several MENA countries is being leaked within dark web hacking forums.
Comparison of ransomware damages by country
<(Left) Ransomware damages by country, (Right) Most active ransomware gangs targeting MENA region>
  • The countries in MENA with the largest ransomware damages are ranked as UAE > Türkiye > Israel, with these three nations accounting for approximately 70% of the total ransomware damages in MENA.
  • Similar to other regions, in ’23, the gang ‘LockBit’ was identified as the most prolific perpetrator of ransomware attacks in MENA countries throughout the year.
  • Despite being the third most mentioned country within hacking forums, ‘Iraq’ did not experience a single ransomware attack in ’23.

Yearly Comparison and Analysis of Country/Industry Damages

  • In particular, UAE and Israel experienced the highest increase in the number of ransomware attacks, with 12 more incidents compared to 2022. Additionally, in 2024, both countries saw an additional increase of one ransomware attack.
  • Israel was not a country of significant interest to ransomware gangs in the previous year, but in 2023, the number of ransomware incidents increased significantly.
  • In 2023, there was a decrease in the proportion of damages in other industries (business services, transportation, finance), with a more concentrated impact on the manufacturing sector.
Trends in Telegram Hacking Group Activity Targeting MENA
  • Following the outbreak of the Israel-Palestine conflict, hacker activity on Telegram witnessed a sharp increase, which gradually declined. However, the trend has shown an upward trajectory since January 2024.
  • Approximately 59% of hacking groups seem to have gone dormant starting from 2024, with around 14% of these groups having previously focused on mentions related to ‘Israel’ and ‘Pakistan.’

Comparison of mentions (2023 vs. 2024)

  • Messages targeting Israel continue to be concentrated even in ’24, but there has been a decrease of approximately 8.5 percentage points in mentions compared to the previous year, with mentions dispersing to other MENA countries.
Categorization of Message Types in Hacking Channels
  • Messages within Telegram channels operated by hacking groups are divided into two categories: simple mentions and file leaks. Here are the differences and examples for each:
  • Among the MENA countries, Saudi Arabia had the highest proportion of file leaks relative to its mentions, accounting for approximately 13% of the total. Additionally, it ranked second in terms of the volume of file leaks.
Files leaked from Telegram channels

Samples of leaked files from Telegram

<Sample leak files: Saudi Arabia, Israel, Iran>

[Region Analysis_January] Dark Web Cyber-attacks targeting MENA region(English ver.) was originally published in S2W BLOG on Medium, where people are continuing the conversation by highlighting and responding to this story.

Article Link: [Region Analysis_January] Dark Web Cyber-attacks targeting MENA region(English ver.) | by S2W | S2W BLOG | Feb, 2024 | Medium