Key trends in GCC cyber threat landscape to be presented at MENA ISC 2024

The Gulf region is going through rapid digitalization and digital transformation. According to Mordor Intelligence, the region’s ICT market is estimated at $129 billion in 2024. Meanwhile, Future Market Insights predicts the digital transformation industry across MENA to grow more than 7.5 times over the next 10 years and reach $418.5 billion.

While digital transformation allows companies to operate more efficiently and at a lower cost, digital risks are on the rise. The more complex and extensive the IT infrastructure of organizations, the wider the attack surface. All of this leads to a more complex cyber threat landscape.

Our specialists have analyzed the top 10 most notorious threat actors that attacked companies in Saudi Arabia, Bahrain, Kuwait, Oman, Qatar, and the UAE in 2023 and early 2024. We have identified the following trends in the development of the cyber threat landscape:

1. Attacks on government agencies, oil enterprises, and telcos are most often carried out for espionage

This has been the motivation of 8 in 10 most aggressive threat actors in the region over the past year and a half. They primarily target government organizations, telcos, and oil enterprises. The latter are critically important for the region’s economy: Middle Eastern countries account for about a third of global oil production, with Saudi Arabia ranked the second largest oil producer.

2. The most active threat actors rarely attack for financial gain

On average, about 80% of cyberattacks worldwide are carried out for financial gain. This may typically be ransom demanded in exchange for unlocking access to infrastructure or decrypting data. However, only 2 out of the 10 clusters that most frequently attacked the GCC countries in 2023 and 2024 acted with such an objective in mind. This may be because most financially motivated threat actors engage in extortion rather than resale of stolen data, while companies in the region often refuse to be manipulated into paying ransom.

3. The majority of damage from cyberattacks is attributed to the theft of sensitive data

This is due to the fact that stealing such data (rather than, for example, encrypting the infrastructure) is the primary goal of the majority of threat actors most active in the region. To obtain sensitive information, attackers can compromise both the cloud storage and the internal company infrastructure.

4. PowerShell and legitimate remote access solutions are some of the most popular tools used by threat actors

The adversaries often use PowerShell, a legitimate cross‑platform task automation solution that includes a command line shell, scripting language, and configuration management platform, to carry out attacks in the region. Its key advantage for the criminals is the ability to perform a wide range of tasks at different attack stages: obtain authentication material, execute malicious code, collect data, and more.

Moreover, attackers often employ legitimate tools originally designed for remote computer administration. Since such programs are not malicious, they allow adversaries to bypass defenses more effectively while their actions within the infrastructure become harder to recognize.

Notably, some of the threat actors attacking the GCC companies for espionage purposes apply commercial malware that can be purchased on the darknet. This is an unusual trend as espionage‑focused clusters around the world are more likely to use their own malware to make themselves harder to detect and counter.

5. To gain initial access, the attackers most often compromise services that allow remote access to the target infrastructure

This could be VPN services, which companies use to provide the employees with secure access to corporate networks, or RDP services, which enable a computer to be connected remotely. Adversaries tend to use stolen legitimate credentials to gain access to these services.

In order to effectively counter threats, theoretical knowledge must be backed up by practice. That is, specialists should have access to training in conditions which are as close to real‑world as possible. For this purpose, BI.ZONE is organizing Cyber Polygon, an international training for improving global cyber resilience, within MENA ISC 2024. The training this year is dedicated to investigating a sophisticated targeted attack on a technology company.

The plot of Cyber Polygon 2024 centers on a startup that has developed an AI‑powered solution. However, management suspects that the internal infrastructure has been compromised. The training participants will have 24 hours to practice the actions of a response team. They will investigate the incident using digital forensics and threat hunting techniques.

Cyber Polygon is an international capacity building initiative of BI.ZONE aimed at raising global cyber resilience. Over 300 organizations from 60 countries have already registered for the training.

In previous years, the event was attended by Jürgen Stock, Secretary General of INTERPOL; Peter Maurer, former President of the International Committee of the Red Cross (2012–2022); the Rt. Hon. Tony Blair, Prime Minister of Great Britain and Northern Ireland (1997–2007); Professor Klaus Schwab, Founder and Executive Chairman of the World Economic Forum; Steve Wozniak, Co‑founder of Apple Computer; Henrietta H. Fore, Executive Director, UNICEF; as well as senior officials from Visa, Mastercard, IBM, Microsoft, Ericsson, Trend Micro, Kaspersky, and other global corporations.