- Company "X" in Qatar got infected
- remote offices of company "X" in another GCC state "H" got infected
- Service provider "A" managing the remote office became infected
- Same Service provider "A" managing few of the GCC state "H" government entities became infected then infect other gov entities.
Seems crazy, but think about it as if you are another state has serious issues with GCC and you already has the technology, the skills and the code. if you can do it 2 times then hardly you will be stopped.
Have a nice weekend.