Skip to main content

Geographic Focus

Department 40’s primary operational focus centers on the Middle East and Gulf region, with extensive targeting across multiple countries.

Middle East and Gulf Region

The APT has directed attacks against targets in:
  • Turkey: Government entities, telecommunications infrastructure
  • United Arab Emirates (UAE): Government and security sectors
  • Qatar: Various organizational targets
  • Afghanistan: Government and civilian entities
  • Israel: Intelligence and security organizations
  • Jordan: Government entities and companies
  • Saudi Arabia: Various targets
  • Kuwait: Government and corporate targets

European Operations

  • Greece: Extensive Proxyshell targeting campaign
  • Belgium: Multiple organizational targets
  • Various European targets including media organizations

Global Reach

While focused on the Middle East, operations extend to:
  • India: Extensive Proxyshell exploitation campaign
  • Canada: Multiple targets identified
  • Egypt: Various entities
  • Other international locations as operational needs dictate

Target Categories

Telecommunications Companies

Telecommunications infrastructure represents a primary target category:
  • Network access for intelligence gathering
  • Communication interception capabilities
  • Customer data access
  • Infrastructure mapping

Aviation Companies

Aviation sector targeting includes:
  • Airlines and aviation service providers
  • Airport infrastructure
  • Travel data collection
  • Passenger information access

Intelligence Organizations

Foreign intelligence services are high-priority targets:
  • Israeli intelligence entities
  • Arab intelligence organizations
  • European security services
  • Counterintelligence against foreign operations

Government Entities

Extensive targeting of government organizations:
  • Turkey: Foreign Ministry and other government departments
  • UAE: Government and security employees
  • Jordan: Government entities
  • Afghanistan: Government organizations
  • Various Middle Eastern government targets

Media Organizations

Media outlets targeted for:
  • Intelligence on reporting activities
  • Source identification
  • Influence operations
  • Monitoring coverage of Iranian activities

Corporate Targets

Civilian companies across multiple sectors:
  • Medical and healthcare companies
  • Financial institutions (e.g., Optima Bank in Greece)
  • Business organizations
  • Professional services firms

Iranian Opposition Tracking

Domestic Opposition

Monitoring and targeting of Iranians within Iran identified as “regime opponents”:
  • Political dissidents
  • Civil society activists
  • Reform movement members
  • Critics of the Iranian government

Iranian Exiles

Extensive operations against Iranians abroad:
  • Exile community monitoring
  • Opposition groups outside Iran
  • Iranian diaspora activists
  • Former regime officials who defected

Operational Methods

  • Social engineering campaigns
  • Credential harvesting
  • Communications monitoring
  • Network infiltration
  • Intelligence gathering for potential targeting

Specific Target Examples

Turkish Foreign Ministry

Documented attack using BellaCiao malware:
  • Government entity penetration
  • Webshell deployment
  • Sustained access maintained
  • Intelligence gathering operations

UAE Security Personnel

AMEEN ALKHALIJ recruitment campaign:
  • Fake recruitment website established
  • Targeting former government and security employees
  • Social engineering operation
  • Credential harvesting
  • Server logs document access attempts

Proxyshell Mass Exploitation

Mass targeting campaigns documented:
  • India: 52+ targets identified
  • Greece: 34+ targets including banks and businesses
  • Belgium: 31+ targets across multiple sectors
  • Canada: Multiple targets
  • Egypt: Various entities
Targets include:
  • Exchange servers at corporate entities
  • Government email infrastructure
  • Financial institutions
  • Professional services firms
  • Healthcare organizations

Documented Specific Targets

From leaked attack reports:
  • Optima Bank (Greece) - webmail access
  • Various Greek businesses and accounting firms
  • Indian Mahindra entities
  • Belgian corporate targets
  • Multiple telecommunications providers

Target Selection Criteria

Strategic Value

  1. Intelligence Collection: Access to communications and sensitive information
  2. Counterintelligence: Monitoring foreign intelligence activities
  3. Regime Security: Tracking opposition and dissidents
  4. Regional Influence: Supporting Iranian geopolitical objectives

Operational Factors

  1. Accessibility: Vulnerability to exploitation techniques
  2. Value: Intelligence significance of the target
  3. Strategic Positioning: Location and connections
  4. Operational Security: Likelihood of detection

Priority Targeting

Highest priority categories:
  1. Intelligence organizations
  2. Iranian opposition (domestic and abroad)
  3. Government entities in neighboring countries
  4. Telecommunications infrastructure
  5. Strategic regional partners

Target Documentation

Leaked materials reveal extensive target tracking:
  • Excel spreadsheets of Proxyshell targets by country
  • Attack reports on specific entities
  • Daily reports mentioning target activities
  • Success/failure logs for operations
  • Credential databases from compromised targets

Targeting Evolution

Evidence shows operational evolution:
  • Mass exploitation campaigns (Proxyshell)
  • Targeted social engineering (AMEEN ALKHALIJ)
  • Custom malware deployment (BellaCiao)
  • Sustained access operations
  • Multi-stage targeting approaches

Build docs developers (and LLMs) love

Get started for freeTalk to us