Pro‑Iranian Nasir Security Targets Gulf Energy Companies via Supply‑Chain BEC Campaign
What Happened – A newly identified Iran‑aligned cyber‑criminal group, Nasir Security, has been conducting business‑email‑compromise (BEC) and spear‑phishing attacks against energy firms and their engineering, construction, and safety‑equipment vendors across the Gulf Cooperation Council (GCC). The actors exfiltrate authentic contracts, risk‑assessment reports, and schematics that could be used to plan physical sabotage of oil‑field and pipeline infrastructure.
Why It Matters for TPRM –
- Supply‑chain compromise can expose third‑party data that appears to originate from the primary energy operator, creating false attribution and regulatory fallout.
- Stolen engineering and safety documents give adversaries actionable intelligence for kinetic attacks, amplifying business continuity risk.
- The campaign demonstrates how geopolitical conflict is weaponised through cyber means, raising the threat baseline for all vendors linked to critical energy infrastructure.
Who Is Affected – Energy & utilities operators in the UAE, Oman, Saudi Arabia, and Iraq; third‑party engineering, construction, and safety‑equipment providers supporting those operators.
Recommended Actions –
- Conduct a supply‑chain risk review focusing on engineering and construction partners.
- Verify that all vendor email accounts enforce MFA and have BEC detection controls.
- Audit cloud storage permissions for confidential design documents; enforce least‑privilege and encryption.
- Incorporate geopolitical threat feeds into your continuous monitoring program.
Technical Notes – The group leverages BEC via targeted spear‑phishing (ATT&CK T1566), impersonation (T1656), exploitation of public‑facing applications (T0819), and data exfiltration from insecure cloud storage (T1530). No specific CVE is cited; the attack surface is primarily human and mis‑configured cloud services. Source: Security Affairs