Iran-Backed Hacker Group Targets Iraqi and Kurdish Officials in New Cyber Attacks

A hacking group tied to Iran has been behind a series of cyber attacks aimed at government officials in Iraq and the Kurdistan region in early 2024, according to cybersecurity firm ESET.

The group, known as BladedFeline, is believed to be part of OilRig, a well-known Iranian government-backed hacking operation. BladedFeline has reportedly been active since 2017, with a long history of spying on Kurdish diplomatic officials and exploiting systems in both Iraq and neighboring countries.

Targets and Tactics

The main targets of BladedFeline include the Kurdistan Regional Government (KRG), the Government of Iraq (GOI), and even a telecom company in Uzbekistan. Cybersecurity experts say the group’s goal is to gather sensitive diplomatic and financial data from these entities.

BladedFeline uses several custom-built malware programs, including:

• Shahmaran: A simple backdoor that allows the attackers to upload and download files and run commands.

• Whisper (aka Veaty): A backdoor that uses Microsoft Exchange email servers to send and receive instructions.

• Spearal: A malware that communicates through DNS tunneling, a method that hides communication inside normal internet traffic.

• Optimizer and Slippery Snakelet: Tools used to control infected systems, run commands, and move stolen data.

The hackers also use tunneling tools like Laret and Pinar, as well as a fake web server component named PrimeCache to maintain hidden access to compromised systems.

Iranian Link

There is strong evidence linking BladedFeline to Iran. Tools used by OilRig—another Iranian group—have also been found in previous attacks against the KRG. This includes malware like RDAT and VideoSRV, which were discovered in systems in 2017 and 2018. Another security firm, Check Point, also recently pointed to OilRig for targeting Iraqi networks using similar techniques.

One of the most recent discoveries by ESET was a malicious tool named Hawking Listener, uploaded online in March 2024. It works by quietly listening on a computer’s network port, waiting for instructions from the hackers.

Why Are They Doing This?

According to ESET, Iran-aligned hackers are likely interested in:

• Monitoring Kurdish relationships with Western countries

• Gaining insight into Iraq’s government affairs

• Spying on oil-related developments in the Kurdistan region

• Countering Western influence in Iraq following years of U.S. presence

While it’s not yet clear how the hackers first broke into the systems, experts believe they may have exploited security weaknesses in internet-facing applications.

Final Take

BladedFeline’s activities show how advanced and persistent state-sponsored cyber threats can be. With their custom tools and long-term strategy, they pose a serious risk to regional governments and their diplomatic operations.