Cyber Incident Victim: National Security Advisor of Iraq
Date:
Jan 2018
Location:
Iraq
Summary
Cyberattacks targeting multiple governments and organizations in Europe and the Middle East, including the Iraqi national security advisor, were attributed to hackers acting in Turkey's interests by Western security officials. The campaign employed DNS hijacking to redirect victims to fraudulent sites, enabling credential theft from email services, cloud storage, and security networks. Victims spanned government ministries, embassies, intelligence agencies, and civilian entities, with compromised infrastructure including non-classified systems. Officials linked the activity to Turkish state-backed espionage based on victim profiles, infrastructure similarities to prior Turkish operations, and confidential intelligence. While some organizations confirmed containment of breaches, Turkey denied involvement and cited its own vulnerability to cyber operations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Between late 2018 and early 2019, hackers conducted a series of cyberattacks targeting at least 30 organizations across Europe and the Middle East, including government entities in Cyprus, Greece, Albania, and Iraq. The attackers employed DNS hijacking techniques to redirect victims' internet traffic to fraudulent servers under their control, enabling credential theft from email services, cloud storage systems, and online networks. Public internet records confirmed the Iraqi government's national security advisor was among the victims whose web traffic was intercepted. Security officials from three Western nations attributed the campaign to actors advancing Turkish geopolitical interests based on victim profiles, infrastructure similarities to prior Turkey-linked operations, and classified intelligence assessments. The attacks exploited vulnerabilities in fundamental internet infrastructure, allowing compromise without direct network penetration.
The campaign impacted multiple national security organizations, with Albanian state intelligence reporting hundreds of compromised credentials though claiming no classified data loss. Cyprus acknowledged containment measures but withheld operational details, while Greece denied email system breaches. Turkey's government declined comment despite civilian Turkish organizations also being targeted, including a Freemasons group erroneously linked to Fethullah Gulen by local media. Private cybersecurity researchers confirmed the attackers breached top-level domain operators, amplifying potential damage. The operation continued through at least January 2020 according to Western intelligence assessments, with victimology suggesting persistent focus on Turkey's regional adversaries. No public evidence linked the campaign to a separate 2018 DNS hijacking operation despite methodological similarities.