ETDA ThaiCERT
Report
Search
Home > List all groups > Operation Parliament

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Operation Parliament

NamesOperation Parliament (Kaspersky)
Country[Unknown]
MotivationInformation theft and espionage
First seen2017
Description(Kaspersky) Based on our findings, we believe the attackers represent a previously unknown geopolitically motivated threat actor. The campaign started in 2017, with the attackers doing just enough to achieve their goals. They most likely have access to additional tools when needed and appear to have access to an elaborate database of contacts in sensitive organizations and personnel worldwide, especially of vulnerable and non-trained staff. The victim systems range from personal desktop or laptop systems to large servers with domain controller roles or similar. The nature of the targeted ministries varied, including those responsible for telecommunications, health, energy, justice, finance and so on.

Operation Parliament appears to be another symptom of escalating tensions in the Middle East region. The attackers have taken great care to stay under the radar, imitating another attack group in the region. They have been particularly careful to verify victim devices before proceeding with the infection, safeguarding their command and control servers. The targeting seems to have slowed down since the beginning of 2018, probably winding down when the desired data or access was obtained. The targeting of specific victims is unlike previously seen behavior in regional campaigns by Gaza Cybergang or Desert Falcons and points to an elaborate information-gathering exercise that was carried out before the attacks (physical and/or digital).

With deception and false flags increasingly being employed by threat actors, attribution is a hard and complicated task that requires solid evidence, especially in complex regions such as the Middle East.

An overlap has been found between Operation Parliament and Molerats, Extreme Jackal, Gaza Cybergang.
ObservedSectors: Defense, Education, Energy, Financial, Government, Healthcare, Media, Research, Shipping and Logistics, Telecommunications and Sports.
Countries: Afghanistan, Canada, Chile, Denmark, Djibouti, Egypt, Germany, India, Iran, Iraq, Israel, Jordan, Kuwait, Lebanon, Morocco, Oman, Palestine, Qatar, Russia, Saudi Arabia, Serbia, Somalia, South Korea, Syria, UAE, UK, USA.
Tools usedRemote CMD/PowerShell terminal.
Information<https://securelist.com/operation-parliament-who-is-doing-what/85237/>
<https://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html>

Last change to this card: 15 April 2020

Download this actor card in PDF or JSON format

Previous: Operation Olympic Games
Next: Operation Poisoned News, TwoSail Junk

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key