Ddos 
A new and enigmatic threat actor is casting a long shadow over the Middle East’s energy sector. Cybersecurity firm Resecurity has identified a group known as Nasir Security, which appears to be a specialized arm of Iranian cyber operations designed to destabilize the region’s critical infrastructure through a mix of digital sabotage and psychological warfare.
Rather than attempting to breach the hardened perimeters of state-owned oil and gas giants directly, Nasir Security focuses its efforts on the smaller vendors, contractors, and engineering firms that support them. By compromising these third parties, the group gains access to authentic corporate intelligence—schemes, contracts, and risk assessments—that they then use to manufacture a narrative of a much larger breach.
“The data stolen as a result of such incidents is authentic but originates from a third party (of the target company), which may lead to incorrect assumptions about the origin of the breach”.
This tactic, known as a supply chain attack, allows the group to bypass primary defenses and project an “optics of a major attack” that far exceeds their actual technical footprint.
Resecurity’s analysis suggests that Nasir Security is as much a propaganda tool as it is a hacking group. Since emerging in late 2025, the group has followed a consistent pattern: long periods of silence followed by a flurry of claims targeting high-profile organizations in the UAE, Saudi Arabia, Oman, and Iraq.
Their claims are often heavily exaggerated to maximize psychological impact. For instance, the group claimed to have exfiltrated over 413 GB from Dubai Petroleum and 827 GB from Oman CC Energy Development. Resecurity found these numbers to be significant overstatements.
“The pattern across all observed claims is an overstated volume of stolen information, with a misinterpreted source for the actual leak”.
By releasing only a handful of sample files rather than full data dumps, the actors maintain a level of “uncertainty” in the audience, fueling their disinformation campaign.
To achieve their goals, Nasir Security employs a familiar but effective toolkit of offensive cyber tactics:
- Business Email Compromise (BEC): Using targeted spear phishing to gain access to contractor accounts.
- Impersonation: Masquerading as legitimate entities to gain trust.
- Vulnerability Exploitation: Attacking public-facing applications and insecure cloud storage.
- Credential Harvesting: Gaining unauthorized access to cloud management platforms like FortiGate Cloud and FortiEdge Cloud.
While the immediate damage from these leaks may be contained, the long-term risks are severe. The authentic documents acquired—such as infrastructure schemes and risk reports—provide Iranian threat actors with the blueprints needed for more destructive future operations.
These insights allow adversaries to identify “key infrastructure components that, if damaged, would impact the facility and be difficult to repair,” potentially leading to long-term outages due to global supply chain disruptions.
Resecurity warns that the emergence of Nasir Security is likely a precursor to an increase in “false flags, psychological operations (psy ops), and influence campaigns” in the region. Enterprises are urged to accelerate their third-party cybersecurity monitoring and conduct rigorous vendor risk assessments to close the supply chain gaps currently being exploited.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
