OilRig campaign – An Iran-linked hacker group which previously targeted organizations in Saudi Arabia has now set its sights on other countries.
Iranian hackers which previously targeted organizations in Saudi Arabia are now targeting organizations in other countries, including the US, as part of a campaign identified as OilRig campaign.
In addition to expanding its reach, the group has been enhancing its malware tools.
Researchers at Palo Alto Networks have been monitoring the group for some time and have
reported observing attacks launched by a threat actor against financial institutions and technology
companies in Saudi Arabia and on the Saudi defense industry. This campaign referred to as “OilRig,” by Palo Alto Networks, entails weaponized Microsoft Excel spreadsheets tracked as
“Clayslide” and a backdoor called “Helminth.”
Bank attacks by the Iran-linked group were analyzed and documented by FireEye in May. Security Week reports that Palo Alto Networks, “discovered that it has also targeted a company in Qatar
and government organizations in the United States, Israel and Turkey.”
Helminth is delivered, by the threat actors behind OilRig, by way of spear-phishing emails and
malicious macro-enabled Excel documents. For instance, in the caseof a Turkish government organization, the Excel file was designed to replicate a login portal for an airline.
There are four variants of the Helminth malware and the threat, capable of communicating with its
command and control (C&C) server over both HTTP and DNS, can gain information on the
infected device and download additional files via a remote server. One type of Helminth malware
relies on VBScript and PowerShell scripts. Another is deployed as an executable file. Delivered by
a Trojan nicknamed “HerHer,” the executable version is able to log keystrokes.
“The Zip archive is encrypted with an unknown password, but we know it contains two files named joboffer.chm and thumb.db. The thumb.db file in the archive has the same name and file size (368128 bytes) as a dropper Trojan we track as ‘HerHer’ (SHA256: fb424443ad3e27ef535574cf7e67fbf9054949c48ec19be0b9ddfbfc733f9b07) that installs a known Helminth executable sample. ” reads the report published by PaloAlto Networks.
Regarding the origins of the threat actors, researchers have pieced together several clues that
point to an Iran-based individual–although they admit that the data can be easily forged.
Palo Alto Networks has been monitoring the activities of several hacker groups believed to be
operating out of Iran. One of these groups utilizes malware which has been dubbed Infy. Over the
summer, the security firm reported that it had disrupted a cyberespionage campaign involving Infy.
And, in August it was discovered that Iranian hackers had compromised messaging app Telegram, allowing them to access the accounts of almost 15 million Iranian users. The accounts breached were primarily those of activists, journalists and other high-profile individuals in Iran. The attack reportedly targeted Telegram’s one-time SMS activation and not its end-to-end encryption.
Telegram sends a verification code via an SMS when users want to log in to the app from a new
device. But, the SMS can be intercepted by phone companies and sold to hackers, who are then
able to access the user’s contact list and archived messages.
Of late, the concern regarding malicious hackers is the risk of the energy sector being targeted.
“…cybersecurity threats are an all-too-real risk for many buildings and electric grids
connected to the Internet. According to a U.S. Department of Homeland Security report,
although ‘the energy sector only represents 5-6 percent of U.S. GDP, the energy industry
is subject to roughly 32 percent of all cyberattacks.’
Recent events have highlighted vulnerabilities in the power supply system, paving the way
for the bill’s cyber measures. One headline-grabbing incident occurred in March when the
Southern District of New York indicted a group of Iranian hackers for repeatedly hacking
into a small dam in New York in 2013, targeting numerous major financial companies and
gaining control over water levels. That episode ultimately caused little damage, aside from
inconveniencing customers, but it demonstrated the potential threat nonetheless.”
And, as an example of the type of activity this bill would address:
“One headline-grabbing incident occurred in March, when the Southern District of New
York indicted a group of Iranian hackers for repeatedly hacking into a small dam in New
York in 2013, targeting numerous major financial companies and gaining control over
water levels. That episode ultimately caused little damage, aside from inconveniencing
customers, but it demonstrated the potential threat nonetheless.”
So, Iranian threat actors have gradually begun to move from targeting banks to attacking energy grids. Incidentally, the fact that hackers are able to gain entry into any of our critical systems is unsettling.
Grid hacks have the potential for severe and widespread impact. Written by: CandiceLanier
Author Bio:
Candice Lanier is a contractor in the IT and counterterrorism intelligence fields. She is a member
of GhostSec, which has merged with BlackOps Cyber, an affiliate of prominent global intel agency,
BlackOps Partners. Candice also writes for RedState, The Christian Post, Medium and The Blacksphere.
| [adrotate banner=”9″] | [adrotate banner=”12″] |
Pierluigi Paganini
(Security Affairs – OilRig Campaign, Helminth Backdoor)
[adrotate banner=”5″]
[adrotate banner=”13″]