Greenbug is an Advanced Persistent Threat (APT) cyber-espionage group with suspected Iranian ties. In August 2017, a Greenbug tool dubbed Ismdoor resurfaced in the wild. The malware possesses many reconnaissance capabilities, and in August of 2016 was deployed to harvest account credentials prior to an attack against Saudi Arabian infrastructure. Wapack Labs assesses with moderate confidence that the presence of Ismdoor is an indicator that Greenbug may be performing reconnaissance for a future campaign. While the Greenbug group is not directly affecting the membership, the targeting of Middle Eastern gas and energy companies affects multiple supply chains with repercussions for U.S. and Allied interests in the region. Wapack Labs’ analysts have also detected an evolution in Iranian cyber campaigns indicating likely adoption of cyber espionage and cyber hacktivism models similar to those employed by the Chinese APT groups, whereby different groups are utilized in different campaigns and multiple teams conduct separate phases of a cyber campaign. The Iranian originated campaigns, similar to the Chinese APT model, are also conducted in waves. The resurgence of Greenbug and Ismdoor indicate another Iranian based cyber campaign cycle is being initiated in the Middle East...READ MORE
Wapack Labs has cataloged and reported on APT groups and campaigns in the past. An archive of related reporting can be found in the Red Sky Alliance portal.