“At the moment, it’s an access operation,” said Rafe Piling, senior security researcher, Secureworks Counter Threat Unit. “The short-term goal is to obtain access to the target and maintain that access. The medium goal is to loiter and then potentially espionage. Obviously that gives whoever is running this group the potential capability to come back and do something more disruptive.”

One of the most disruptive hacking campaigns the region has ever seen in the last decade took place in 2012 when Iranian hackers broke into Saudi Arabia's Aramco and deleted files to cripple tens of thousands of key company computers. The malware used in that attack is known as Shamoon.

Saudi Aramco, a state-owned oil company and one of the richest companies on earth, is at the heart of that country's power. The region's energy companies are massively important to all of the nations around the Persian Gulf. The Shamoon hackers also hit the Qatar oil company RasGas.

Active since 2018, Hexane has dramatically increased activity in 2019 and deployed new malware against its targets. The first step in the group's tactics are sending spearphishing attacks to human resources and technology staffers at targeted organizations.

"Compromising individual HR accounts could yield information and account access that could be used in additional spearphishing operations within the targeted environment and against associated organizations," Secureworks researchers said in a report released on Tuesday. "IT personnel have access to high-privilege accounts and documentation that could help the threat actors understand the environment without blindly navigating the network to find data and systems of interest."

There is some debate among cybersecurity companies about the exact immediate targets of the group. Hackers can target information technology (IT) systems like desktop computers or operational technology (OT) systems like programmable logic controllers, computers designed specifically for industrial purposes like oil and gas refinement or manufacturing.

But the two systems are ultimately connected and, as Piling said in an interview on Tuesday, “it’s almost universally true that the path to IT goes through OT.”

Researchers have not put forth any direct technical links between Iran and the new hacking group, but Secureworks has pointed to “stylistic similarities” that strongly suggest the connection.

“The malware is in an early, immature age but it does include features we typically see in Iranian malware,” Piling said. “But it’s by no means specific and someone could emulate many of these characteristics if they wanted to enter the domain.”

Although the Persian Gulf is a hotbed of cyber activity, countries like Iran have a global reach. Earlier this year, Dragos identified a group dubbed Magnallium that is targeting American government, financial, and energy companies. (Full disclosure: A family member works for Dragos but was not involved in this report.)

Iran continues to be the target of American hackers including, most notably, when President Donald Trump ordered cyberattacks on Iranian weapons systems after a US drone was shot down by Iranian forces.