Hackers Exploit Telecommunications Networks in the Middle East
Recent investigations have shed light on a concerning trend in which hackers are increasingly exploiting telecommunications networks and hosting providers across the Middle East. These infractions involve the establishment of extensive command-and-control (C2) networks that facilitate a wide array of cybercriminal activities. This development signals a strategic evolution in how cyber adversaries operate, moving from short-lived indicators of compromise toward a more sophisticated approach that emphasizes infrastructure compatibility.
Within the extensive dataset analyzed, a significant proportion of malicious activities—accounting for over 90 percent—was traced back to C2 infrastructure. This level of threat surpasses that generated by traditional phishing campaigns, exposed directories, and publicly known indicators. The focus on C2 infrastructure not only illuminates the scale of these operations but also emphasizes the importance of understanding long-term patterns that characterize such cyber threats.
Notably, the Saudi Telecom Company (STC) has emerged as a major focal point in this malicious activity. The analysis uncovered that STC alone hosts approximately 981 C2 servers. This staggering figure corresponds to around 72 percent of all detected C2 infrastructure within the region. Researchers suggest that the prevalence of this activity is not necessarily due to a direct compromise of the telecom network. Instead, it is likely arising from customer devices that have been compromised while they operate within the telecom ecosystem. Consequently, large-scale internet service provider (ISP) infrastructure becomes an unintentional relay for systems under the control of cyber attackers.
According to a report from Hunt.io, shared with GBhackers, researchers have identified more than 1,350 active C2 servers that are distributed across 98 different infrastructure providers in 14 Middle Eastern countries. This includes prominent nations such as Saudi Arabia, the United Arab Emirates, Turkey, Israel, Iran, Iraq, and Egypt. The data further highlights that alongside STC, other significant providers like UAE-based SERVERS TECH FZCO, Israel’s OMC, Turkey’s Türk Telekom, and Iraq’s Regxa have also been identified, each contributing to the malicious infrastructure, albeit to varying degrees.
The report elucidates the operational landscape for these cybercriminals. It underscores that the presence of large telecom operators, coupled with smaller virtual private server (VPS) providers, enables hackers to function across diverse infrastructure environments. This adaptability enhances their resilience and ability to avoid detection and disruption.
Throughout a three-month observational period, researchers recorded a total of 1,459 malicious artifacts among the 98 Middle Eastern infrastructure providers. These artifacts comprised 1,357 C2 servers, 45 malicious open directories, seven publicly identified indicators of compromise (IOCs), 43 IOC Hunter posts, and seven phishing sites. This alarming data indicates a concentrated effort by a relatively small number of providers, which disproportionately supports malicious activities.
The clustering effect observed in these findings allows threat actors to reuse compromised infrastructure and prepare for operations in advance, maintaining dormant access points that can be activated whenever required. Documented cases have revealed that infrastructure associated with advanced persistent threats was identified well ahead of actual attacks, illustrating the proactive nature of their strategies.
Moreover, malware families identified in these networks encompass a blend of common botnets and advanced post-exploitation frameworks, reflecting a disturbing convergence of cybercrime with state-supported activities. Tools such as Tactical RMM, Cobalt Strike, and Sliver, alongside IoT botnets like Mirai, Mozi, and Hajime, have become prevalent among these malicious activities. The dataset also notes the presence of several offensive security frameworks and post-exploitation platforms, including Prism X and AsyncRAT, emphasizing that both rudimentary malware and sophisticated APT tooling leverage Middle Eastern infrastructures for their operations.
Real-world campaigns linked to these infrastructures have spanned a range of malicious activities, including ransomware delivery, cryptomining operations, and espionage. In one noteworthy instance, researchers documented the Phorpiex botnet’s C2 servers operating through Syrian telecom infrastructure, distributing both cryptominers and ransomware payloads. Other campaigns have exploited telecom IP addresses to take advantage of vulnerabilities, deploy remote access trojans, and conduct cloud-oriented intrusions.
The report accentuates the significance of monitoring infrastructure providers and examining their hosting patterns. By focusing on the networks frequently utilized by attackers, cybersecurity organizations can proactively anticipate threats, enhance their monitoring priorities, and work to disrupt malicious operations before they can escalate into full-fledged attacks.
In conclusion, the evidence presented highlights the urgent need for a comprehensive understanding of the dynamics at play in the Middle Eastern telecommunications infrastructure. As hackers continue to adapt their methodologies, the response must likewise evolve to ensure robust defenses are in place against these persistent threats.