Kaspersky finds a new APT campaign targeting engineers in the Middle East

The malware, which is well-suited for spying, doesn’t match any code the researchers have seen before.
power plant, energy infrastructure, industrial control systems
(Getty Images)

A mysterious set of hackers last year began a targeted campaign to breach industrial organizations in the Middle East, antivirus firm Kaspersky said Tuesday.

Attackers have sought to breach engineers, particularly in a single, unnamed Middle Eastern country, adding to a long history of cyber operations in the region. They’re relying on a strain of malicious software that’s tailored for espionage, and does not appear to match any code the researchers have seen before. Exactly who is behind the effort remains unclear.

The sensitivity of the targets, and the fact that the activity is ongoing, prompted the researchers to go public with their findings. The Moscow-based company labeled the activity an “advanced persistent threat” (APT), a loose term for well-resourced hackers often linked to government interests. Kaspersky designated the hacking campaign “WildPressure.”

“Anytime the industrial sector is being targeted, it’s concerning,” said Kaspersky senior security researcher Denis Legezo. There is no indication that hackers have done anything beyond gather information from the compromised networks, he added.


“We made this conclusion [ that it is an APT because] the malware is rare, targets a very specific region, and is suitable for espionage,” Legezo told CyberScoop, “So far we have no data regarding sponsorship.”

Broadly speaking, the “industrial sector” could mean organizations in energy or others domains critical to a society or economy, but Kaspersky researchers did not elaborate on the nature of the organizations targeted.

With a wealth of valuable industrial facilities, the Middle East has long been the scene of hacking operations to spy on or disrupt those facilities. The Stuxnet worm stifled an Iranian nuclear facility a decade ago, while the Trisis malware disrupted a Saudi petrochemical company in 2017.

Whether the WildPressure campaign amounts to anything more than espionage remains to be seen. The hackers were patient in developing their malware, but Legezo said he’s seen more painstaking operations.

“If we compare it with other targeted malware, there are worse ones out there,” he told CyberScoop in an email.


One of the pieces of code unpacked by Kaspersky researchers was labeled “1.0.1,” indicating that an updated version could be in the cards.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts