NasirSecurity Pro-Iranian Group Targets Gulf Energy Supply Chains

• .What: Iran-aligned proxy actor claimed breaches of six organizations across five countries. Actual compromise targeted supply chain vendors - not the energy majors or government entities themselves.
• .Who: Dubai Petroleum (UAE), CC Energy Development (Oman), Rumaila Operating Organisation (Iraq - 1.5M bbl/day, one-third of Iraq's output), Al-Safi Oil Company / PURE IN (Saudi Arabia), UAE Customs (Federal Customs Authority). True victims are unnamed third-party engineering, safety, and construction contractors.
• .How: Business email compromise via targeted spear phishing, impersonation of legitimate contacts, exploitation of public-facing applications, and exfiltration from insecure cloud storage services.
• .Data: Engineering schematics, construction contracts, risk assessment reports, fire alarm and safety equipment vendor documents. 8-10 sample files released per claim.
• .Actor: NasirSecurity - assessed as a contracted proxy or cutout operation most likely directed by Iranian-affiliated sponsors, with operators possibly based in Lebanon. Not a formal state-sponsored APT unit. WatchGuard classifies origin as Lebanon; Resecurity assesses "cyber-mercenaries or hired operatives." Operated under multiple aliases: Sons of Hezbollah Lebanon, Sons of Al-Nusayr, Al-Nasir Resistance. No social media presence, no participation in Iran's coordinated hacktivist ecosystem, and no amplification from Iranian or Hezbollah media.
• .Impact: Authentic engineering and safety documents for Gulf energy infrastructure now in adversary hands. Strategic intelligence value for planning physical attacks on energy facilities. Reputational damage to named energy companies despite not being directly breached.

On October 4, 2025, the domain nasir[.]cc was registered via NameCheap. The following day, a group calling itself "Sons of Hezbollah Lebanon" emerged and claimed its first attack - against Taldor, an Israeli IT services company.

The group alleged it had accessed Taldor's FortiGate Cloud and FortiEdge Cloud environments and discovered data belonging to Elbit Systems, the Israel Defense Forces, Rafael Advanced Defense Systems, the Israeli Ministry of Defense, and the Mossad within Taldor's systems.

This initial operation established the group's pattern: target a service provider, exfiltrate data, then present it as a breach of the service provider's high-profile clients.

After the Taldor claim, NasirSecurity went silent for nearly five months.

The Tor mirror went offline by November 13, 2025, and the clearnet site was showing an error page by January 14, 2026. The group resurfaced around March 10-11, 2026 - approximately 10-11 days after Operation Epic Fury launched US-Israeli strikes against Iran on February 28 - with a "Mission Announcement" and a significant pivot from Israeli defense targets to Gulf Cooperation Council energy infrastructure.

On March 13, the group published leak claims for Dubai Petroleum (UAE) and CC Energy Development (Oman), claiming 413 GB exfiltrated from Dubai Petroleum alone.

On March 19, the group claimed Rumaila Operating Organisation - the operator of Iraq's largest oilfield, producing 1.5 million barrels per day and accounting for one-third of Iraq's total oil output.

This same facility had been physically shut down on March 3 when Iranian drone strikes disrupted export routes via Basra, making the Rumaila claim a striking case of cyber-kinetic convergence against a single target.

On March 21, the group added Al-Safi Oil Company - a Saudi Arabia-based firm operating gas stations across the Kingdom under the PURE IN brand.

" On March 26, the group claimed UAE Customs (Federal Customs Authority), extending its targeting beyond the energy sector into government infrastructure. By this point the group had rebranded to "Al-Nasir Resistance," its third name in six months.

On March 23, 2026, Resecurity published a detailed investigation that dismantled the group's narrative. The critical finding: NasirSecurity had not breached Dubai Petroleum, CC Energy Development, or any of the named energy majors.

The stolen data originated from third-party supply chain vendors - specifically contractors and subcontractors involved in engineering, safety, and construction services for the energy sector.

The group compromised these smaller vendors and then repackaged the stolen documents as direct breaches of the energy companies they served. Resecurity assessed the group's total claimed exfiltration of 827 GB as overstated.

The 8-10 sample files released per claim were authentic, but the volume claims were inflated - a common tactic to amplify perceived impact and media coverage.

This supply chain misdirection is the defining characteristic of the campaign. The energy majors are the named victims, but the actual security failures reside with their contractors.

The contractors' names have not been publicly disclosed, which means the organizations with the exploitable vulnerabilities remain unidentified - and potentially still compromised.

NasirSecurity has operated under at least three names: "Sons of Hezbollah Lebanon" (October 2025), "Sons of Al-Nusayr" (late 2025), and "Al-Nasir Resistance" (March 2026).

Resecurity assesses all three names as deliberately misspelled to create attribution confusion - "Hezbollah" and "Al-Nusayr" (Alawites) are distinct and often opposing sectarian groups, making genuine affiliation with both implausible.

The naming is performative, designed to muddy the waters.

Resecurity's assessment is that NasirSecurity consists of cyber-mercenaries or hired operatives acting on behalf of Iran or Iranian-affiliated proxies.

WatchGuard's ransomware tracker classifies the group's origin as Lebanon rather than Iran - a distinction that complicates the attribution picture but aligns with the broader ecosystem of Iran-aligned proxy operators in the region.

ZERO|TOLERANCE passive OSINT investigation identified the group's infrastructure: nasir[.]cc resolves to 84.200.80[.]16, hosted by UltaHost Inc on AS214036 in a First Colo GmbH datacenter in Frankfurt, Germany.

UltaHost explicitly markets anonymous VPS hosting with cryptocurrency payment and no identity verification - the operators provisioned this server without providing personal or financial information. The hosting provider also offers dedicated Iran VPS services.

The domain uses NameCheap's Private Email service (privateemail.com) for mail handling, with SPF authentication configured - consistent with operators who need emails from @nasir.cc to pass spam filters for BEC operations.

No TLS certificate has ever been issued for nasir.cc according to Certificate Transparency logs, meaning the leak site runs without HTTPS encryption.

No major Tier 1 threat intelligence vendor - including Palo Alto Unit 42, CrowdStrike, Mandiant, Check Point, or Recorded Future - has independently published attribution analysis for NasirSecurity.

Unit 42's comprehensive March 2026 Iran Threat Brief, updated through March 26, does not mention the group despite cataloging dozens of concurrent Iranian cyber operations.

This is not a formal state-sponsored unit like APT33 (Elfin/Refined Kitten) or APT34 (OilRig/Helix Kitten). The group lacks the technical sophistication of Iran's known APT clusters.

Its tactics - BEC, spear phishing, exploitation of public-facing applications, and targeting of insecure cloud storage - are competent but not advanced.

The five-month gap between the Taldor attack and the GCC energy campaign, followed by reactivation 10-11 days after Operation Epic Fury began on February 28, 2026, is consistent with a directed tasking model rather than independent hacktivism.

The group was not part of the "Electronic Operations Room" that coordinated 60+ hacktivist groups within hours of the February 28 strikes - its separate activation timeline suggests a different command chain.

The group maintains a clearnet data leak site at nasir[.]cc and a Tor mirror at yzcpwxuhbkyjnyn4qsf4o5dkvu6m2fyo7dwizmnlutanlmzlos7pa6qd[.]onion. It has no social media presence - no Telegram channel, no Twitter/X account, no dark web forum activity.

This is the single most anomalous characteristic of this group. Every known Iranian-aligned hacktivist persona - Handala, CyberAv3ngers, Cyber Fattah, 313 Team, DieNet - operates Telegram channels for propaganda amplification.

NasirSecurity's complete absence from these platforms, combined with zero amplification from Iranian state media or Hezbollah-affiliated channels, indicates the operation is not designed for propaganda.

The leak site functions as proof-of-work for a handler or sponsor, not as a public-facing propaganda tool.

The weight of evidence - anonymous infrastructure, externally directed targeting, no financial motivation, no community engagement, operational isolation from Iran's coordinated hacktivist ecosystem - is most consistent with a contracted proxy or cutout operation serving Iranian strategic objectives while maintaining plausible deniability.

The pivot from Israeli defense targets to GCC energy infrastructure is strategically significant.

Iran has a documented history of targeting Gulf energy assets - the 2012 Shamoon attack destroyed approximately 30,000 workstations at Saudi Aramco, and Iranian APT groups have conducted persistent reconnaissance against Gulf petrochemical and utility companies throughout the 2020s.

NasirSecurity's campaign fits within this broader pattern of Iranian interest in mapping and disrupting Gulf energy operations, even if its methods are less sophisticated than state-tier APT activity.

The following data types were confirmed authentic by Resecurity based on released samples:

• .Engineering schematics - technical drawings detailing the physical design, layout, and systems of energy infrastructure facilities. These documents reveal structural vulnerabilities, equipment placement, and access points that cannot be changed without major capital expenditure.
• .Construction contracts - contractual documents between energy companies and their engineering and construction vendors, revealing project scope, timelines, costs, and vendor relationships.
• .Risk assessment reports - formal evaluations of safety and operational risks at energy facilities. These documents identify known vulnerabilities and mitigation gaps - providing adversaries with a prioritized target list.
• .Fire alarm and safety equipment vendor documents - specifications, installation records, and maintenance documentation for fire suppression and safety systems. Knowledge of safety system configurations enables adversaries to plan attacks that circumvent or disable protective measures.

Each claim was accompanied by 8-10 sample files. The total claimed exfiltration was 827 GB across all four victims (413 GB attributed to Dubai Petroleum alone). Resecurity assessed these volume claims as overstated - a common inflation tactic.

The actual volume of confirmed authentic data is lower, but even a fraction of 827 GB of engineering and safety documentation represents significant strategic intelligence.

The nature of this data is uniquely dangerous. Unlike personal data breaches where SSNs or passwords can be reset, engineering schematics and facility layouts are permanent. A building cannot be redesigned because its blueprints were stolen.

Fire suppression system configurations cannot be easily replaced. The intelligence value of these documents extends years into the future and directly enables kinetic attack planning.

The direct victims - the supply chain vendors - have not been publicly identified, which limits technical detail. However, Resecurity's analysis of the group's TTPs identifies the following failure chain:

1. Inadequate email security at supply chain vendors. NasirSecurity's primary initial access vector was business email compromise via targeted spear phishing.

The compromised vendors lacked sufficient email authentication (SPF, DKIM, DMARC enforcement), advanced threat protection, and employee training to detect impersonation of legitimate contacts.

BEC remains the single most effective initial access technique because it exploits human trust rather than technical vulnerabilities.

2. Weak authentication on public-facing applications. The group exploited public-facing applications - likely web portals, project management platforms, or document sharing systems - used by contractors to collaborate with energy company clients.

These applications lacked multi-factor authentication, IP allowlisting, or behavioral anomaly detection.

3. Insecure cloud storage services. Resecurity confirmed the group exfiltrated data from insecure cloud storage services.

This indicates contractors were storing sensitive engineering documents, construction contracts, and risk assessments in cloud environments without proper access controls - no authentication requirements, no encryption at rest, no access logging, and no data loss prevention monitoring.

4. Absence of vendor security requirements by energy companies. Dubai Petroleum, CC Energy Development, and the other energy majors failed to impose and enforce minimum cybersecurity standards on their supply chain vendors.

No evidence of third-party security assessments, contractual security requirements, or continuous monitoring of vendor security posture. The energy companies shared sensitive engineering and safety documents with contractors who lacked basic security controls.

5. No data classification or access segmentation. Engineering schematics and risk assessments for critical energy infrastructure were stored alongside routine project documents with no classification, compartmentalization, or need-to-know access restrictions.

A single vendor compromise exposed the full breadth of project documentation rather than a limited subset.

6. No breach detection or exfiltration monitoring.

The five-month gap between the group's first activity (October 2025) and the GCC energy claims (March 2026) - combined with the volume of data allegedly exfiltrated - indicates that neither the vendors nor the energy companies detected the compromise.

No data loss prevention tools flagged the outbound transfer of hundreds of gigabytes of engineering documents.

Threat Actor Aliases:

• .NasirSecurity
• .Sons of Hezbollah Lebanon
• .Al-Nasir Resistance
• .Assessed as proxy/cutout (55-70% confidence) rather than genuine Iranian state actor

Infrastructure:

• .UltaHost anonymous VPS hosting
• .English-only communications despite claimed Lebanese/Iranian identity
• .Zero social media presence prior to campaign

Attack Vector:

• .Supply chain compromise targeting third-party contractors
• .Exfiltrated data from engineering/construction vendors, not energy companies directly

Claimed Targets (not directly breached):

• .Dubai Petroleum
• .CC Energy
• .Al-Safi Oil
• .Fourth unnamed Gulf energy company

Data Types:

• .Engineering schematics and construction contracts
• .Risk assessments and fire safety vendor documents
• .827 GB total claimed exfiltration

• .UAE PDPL (Federal Decree-Law No. 45/2021) - Dubai Petroleum operates in the UAE. The unauthorized disclosure of operational and engineering data triggers obligations under Articles 6 (lawful processing), 7 (data security), and 26 (breach notification). Fines up to AED 10 million (~$2.7M). The UAE Cybersecurity Council's authority over critical infrastructure entities may impose additional requirements.

• .UAE TDRA Regulations - The Telecommunications and Digital Government Regulatory Authority maintains oversight of data handling practices by UAE-based entities. Energy companies operating digital infrastructure fall within scope.

• .Saudi PDPL - Al-Safi Oil Company operates gas stations across Saudi Arabia. The Saudi Personal Data Protection Law, enforced by SDAIA, imposes fines up to SAR 5 million (~$1.3M) per violation. Articles 14 (security measures), 20 (breach notification), and 24 (cross-border transfer restrictions) are directly applicable. If any personal data of employees, customers, or partners was included in the stolen contractor documents, individual notification obligations are triggered.

• .NCA Essential Cybersecurity Controls (Saudi Arabia) - Al-Safi Oil Company and any contractors operating within Saudi Arabia's energy sector are subject to the National Cybersecurity Authority's mandatory controls. The failure to secure supply chain vendor access to sensitive documents violates NCA requirements for third-party risk management.

• .Oman PDPL - CC Energy Development operates in Oman. The Oman Personal Data Protection Law, enforced by the Ministry of Transport, Communications and Information Technology, requires adequate security measures for personal data processing and mandatory breach notification. Engineering documents containing employee or personnel data fall within scope.

• .Iraq - The unnamed Iraqi oil and gas organization falls under Iraq's emerging data protection framework. While Iraq lacks a comprehensive data protection law comparable to GDPR, sector-specific regulations and the Iraqi National Security Advisory mandate minimum cybersecurity standards for energy infrastructure operators.

• .GDPR (Regulation 2016/679) - If any of the compromised supply chain vendors are EU-based or process data of EU residents (engineers, consultants, or contractors based in EU member states), GDPR applies. Article 32 requires appropriate security measures. Article 33 requires 72-hour breach notification to the supervisory authority. Article 28 imposes obligations on data controllers (the energy companies) to ensure processors (their contractors) maintain adequate security. Fines up to EUR 20 million or 4% of annual global turnover.

• .NIS2 Directive (EU) - If any supply chain vendors fall within the EU's Network and Information Security Directive scope as providers to essential entities in the energy sector, mandatory incident reporting obligations apply.

The following gaps exist in the public record for this incident:

1. The identities of the compromised supply chain vendors have not been disclosed by Resecurity or any other source - the organizations with the actual security failures remain unidentified and potentially still compromised.

2. The 827 GB total exfiltration claim originates from NasirSecurity and was assessed as "overstated" by Resecurity, but the actual volume of confirmed authentic data has not been quantified.

3.

" ZERO|TOLERANCE passive OSINT investigation assessed the group as most likely a contracted proxy or cutout operation (moderate confidence, 55-70%), based on anonymous infrastructure, operational isolation from the coordinated hacktivist ecosystem, absence of social media or propaganda function, targeting aligned with Iranian strategic interests, and timing synchronized with kinetic operations.

WatchGuard classifies origin as Lebanon, not Iran - this may indicate the operators' physical location rather than their sponsor.

4. The Taldor attack (October 2025) that launched NasirSecurity's activity has not been independently verified - claims of accessing Elbit Systems, IDF, Rafael, and Mossad data through Taldor's systems rest on NasirSecurity's assertions alone.

5. Dubai Petroleum, CC Energy Development, and Al-Safi Oil have not issued public statements confirming or denying the breach, and no regulatory filings related to this incident have been identified.

6. No major Tier 1 threat intelligence vendor - including Palo Alto Unit 42, CrowdStrike, Mandiant/Google, Check Point, Microsoft, or Recorded Future - has independently published analysis of NasirSecurity.

Unit 42's comprehensive March 2026 Iran Threat Brief, updated through March 26, contains zero mentions of the group despite cataloging dozens of Iranian cyber operations during the same period. All analytical depth originates from Resecurity's single report.

7. Post-publication leak site monitoring (RansoLook.io, through March 26) confirms Rumaila Operating Organisation and UAE Customs as additional NasirSecurity victims not in Resecurity's March 23 report.

The Rumaila claim (March 19) represents a significant cyber-kinetic convergence - the same facility was physically shut down by Iranian drone strikes on March 3, 2026. Whether NasirSecurity possessed Rumaila engineering documents before or after the kinetic strikes has not been established.

8. No malware samples, file hashes, YARA rules, or technical indicators of compromise (IOCs) for NasirSecurity have been published by any source. Ransomware.live confirms zero ransom notes, zero tools documented. This limits defensive detection capabilities.

9. nasir[.]cc infrastructure (84.200.80[.]16, UltaHost anonymous hosting, Frankfurt DE, cryptocurrency payment) has not been investigated for co-hosted domains, shared IP history, or connections to other threat actor infrastructure.

Active scanning was outside the scope of this passive OSINT investigation.

NasirSecurity did not breach a single energy company. Every document - engineering schematics, construction contracts, risk assessments, fire safety vendor records - was stolen from third-party supply chain vendors.

The group compromised contractors and subcontractors, then repackaged stolen documents as direct breaches of Dubai Petroleum, CC Energy Development, and Al-Safi Oil. The energy majors' names made headlines. Their contractors' unaudited security posture made it possible.

Every contractor handling sensitive engineering or operational documents must meet documented, auditable security baselines before receiving access - mandatory endpoint detection and response, encrypted storage, annual penetration testing, and contractual right-to-audit clauses.

The energy majors trusted vendors who had never been tested, and that trust was the attack surface NasirSecurity exploited. It remains exploitable today because the compromised contractors have not been publicly identified.

The BEC and credential phishing techniques NasirSecurity employed would have failed against phishing-resistant authentication.

FIDO2 hardware security keys for all external collaborators accessing project portals, document management systems, and cloud storage eliminate the credential theft vector entirely.

The group impersonated legitimate contacts to harvest credentials, a technique that FIDO2's origin-bound challenge-response mechanism defeats by design. Every contractor access point is a perimeter, and each one needs the same authentication standard as the front door.

Engineering schematics, risk assessments, and safety system documentation must be classified and stored in compartmentalized environments with need-to-know access controls.

A contractor working on fire alarm specifications should not have access to full facility engineering schematics.

The stolen documents provided adversaries with a roadmap for planning physical attacks on Gulf energy facilities because no access boundary existed between document categories.

Compartmentalization ensures a single compromised vendor yields a fragment of the picture, not the complete blueprint.

The exfiltration of hundreds of gigabytes should have triggered alerts within minutes, not gone undetected for months. Cloud storage services used for vendor collaboration must have DLP policies that detect and block bulk downloads or transfers to unauthorized destinations.

Sustained high-volume reads across document repositories followed by uploads to external storage produce unmistakable network signatures - the absence of monitoring meant NasirSecurity operated at scale without resistance.

Continuous third-party security monitoring, including external attack surface scanning and credential leak detection, would have identified the compromised vendors' weaknesses before the breach occurred.

General-purpose cloud storage must be replaced with secure collaboration platforms that enforce granular access controls, document watermarking, view-only modes for sensitive materials, and complete audit trails.

Engineering schematics for critical energy infrastructure should never reside in a standard cloud storage bucket accessible via a single set of compromised credentials.

The difference between a shared drive and a secure enclave is the difference between losing everything and containing the damage to what one compromised account could reach.

Resecurity, Security Affairs, The420.in, Dark Reading, Ransomware.live, RansoLook.io, WatchGuard, HookPhish, Hackmanac, ZERO|TOLERANCE OSINT Investigation