A highly-active hacking group is attacking government and corporate targets in Saudi Arabia, according to Symantec.
The ‘Elfin' hacking group, has attacked over 50 entities in Saudi Arabia, the US and other countries for nearly four years, and is one of the most prolific groups targeting the region, the security company warns.
Elfin's targets have mainly been Saudi organisations including government, research, chemical, engineering, manufacturing, consulting, finance, telecoms, and several other sectors.
The group has also targeted some 18 entities in the US, including Fortune 500 companies and organisations in the engineering, chemical, research, energy consultancy, finance, IT, and healthcare sectors.
Symantec said that the group was active in February this year, when it launched a wave of attacks against the chemical sector in Saudi Arabia. The hacks attempted to exploit an issue with the WinRAR compression program, which would have allowed any code execution on compromised PCs. The exploit in this case had already been blocked by Symantec software, the company said.
The group, which first became active in late 2015 or early 2016, specializes in scanning for vulnerable websites and using this to identify potential targets, either for attacks or creation of command and control (C&C) infrastructure.
Symantec said that Elfin came under the spotlight in December 2018 when it was linked with a new wave of Shamoon attacks, which occurred in a close timescale. However, Symantec does not believe the two attacks were carried out by the same group.
In a blog post, Symantec's Security Response Attack Investigation Team said: "Elfin is one of the most active groups currently operating in the Middle East at present, targeting a large number of organisations across a diverse range of sectors. Over the past three years the group has utilized a wide array of tools against its victims, ranging from custom built malware to off-the-shelf RATs, indicating a willingness to continually revise its tactics and find whatever tools it takes to compromise its next set of victims."