Chinese Nexus Actors Move Their Attention to Qatar Because of the War in Iran

In the days after the first US-Israeli strike in Iran, Chinese-nexus threat actors attacked targets in Qatar This article explores specific attacks qatari. . This shows that China-backed advanced persistent threat (APT) groups are changing their strategy in the region as they respond to geopolitical events.

This week, Check Point Software revealed in a blog post that the threat actor Camaro Dragon planned to use lures related to the conflict to deploy a version of PlugX malware against different Qatari organizations within a day of the start of the so-called "Operation Epic Fury" offensive. A different attack on a Qatari target also tried to use DLL hijacking to install the penetration testing tool Cobalt Strike. This is a method that is also linked to groups with ties to China.

Check Point says that Chinese hackers don't usually go after the Gulf region as much as other parts of the Middle East. This shows that their targeting has changed since the war against Iran started. The fighting quickly spread to other Middle Eastern countries, including Qatar, the United Arab Emirates, and Bahrain, where the US has military bases that Iran has attacked.

Iran already launched a lot of cyberattacks in the first few days of the war as part of its response. Now, other countries that are interested in the region seem to be getting involved in the cyber side of the conflict as well.

Related: North Korean APTs Use AI to Make IT Worker Scams Better The post says that the intrusions Check Point saw show how quickly China-nexus actors can change their targeting priorities and attack places that aren't usually on their radar. Check Point says, "The quick focus on Qatar may be due to both opportunistic intelligence gathering related to the regional crisis and a wider shift in collection priorities toward a state that sits at the crossroads of several competing regional and global powers and interests." To protect themselves from more and more cyberattacks, businesses should strengthen their current security measures, such as endpoint detection and response (EDR) systems, and make sure they have basic security measures like multifactor authentication (MFA) in place.

Check Point's blog post included indicators of compromise (IoCs) of the specific attacks on Qatari targets to help defenders find threat activity by China-nexus actors like Camaro Dragon and others.