Overview:
Between February and September 2023, the Iranian hacking group known as OilRig, or APT34, infiltrated a Middle Eastern government network, maintaining access for an extensive period. This breach, characterized by sophisticated tactics, underscores the ongoing cybersecurity threats posed by state-sponsored actors.
Background:
OilRig, linked to Iran’s Ministry of Intelligence and Security (MOIS), has a history of conducting cyber-attacks targeting various regions, including the United States, the Middle East, and Albania.
Methodology:
Symantec’s threat hunter team, a division of Broadcom, uncovered the infiltration, revealing the group’s utilization of advanced techniques to compromise at least twelve computers within the government network.
Attack Vector:
The attackers employed a PowerShell backdoor named ‘PowerExchange,’ designed to evade detection and accept commands via Microsoft Exchange. This method facilitated data theft and enabled the execution of arbitrary commands.
Execution Process:
Upon breaching the system, PowerExchange leverages compromised Exchange Server credentials to monitor incoming emails, identifying those containing specific markers for command execution. The malware then executes the encoded commands, concealing its activities by relocating messages to ‘Deleted Items.’
Stealth Techniques:
By utilizing Exchange as a backdoor, APT34 camouflaged its activities within legitimate network traffic, minimizing the risk of detection and reducing the need for additional implants.
Tools and Tactics:
In addition to Power Exchange, APT34 utilized a variety of tools to carry out its campaign, including:
- Backdoor. Okel: Executes PowerShell commands and downloads files.
- Trojan.Dirps: Enumerates files and executes PowerShell commands.
- Infostealer.Clipog: Steals clipboard data and captures keystrokes.
- Mimikatz: Extracts credentials.
- Plink: Command-line tool for PuTTY SSH client.
Attack Timeline:
February – April: Initial Compromise and Expansion
- February 1 – 7: Introduction of PowerShell Script (joper.ps1) with Multiple Executions.
- February 5: Compromise of Second Computer; Utilization of Masqueraded Plink (‘mssh.exe’) for RDP Access.
- February 21: Observation of ‘netstat /an’ Command Execution on Web Server.
- April: Compromise of Two Additional Systems; Execution of Unknown Batch Files (‘p2.bat’) and Deployment of Mimikatz for Credential Capture.
June – August: Main Phase of Attack
- June: Execution of Backdoor.Tokel and PowerExchange; Commencement of Main Attack Phase.
- July: Deployment of TrojanDirps and Infostealer.Clipog; Setup of SSH Tunnels with Plink.
- August: Nessus Scans for Log4j Vulnerabilities; Compromise of Second Web Server with Infostealer.Clipog Installation.
September: Further Compromise and Network Activity
- September 1: Compromise of Three Additional Computers; Deployment of Plink via certutil; Wireshark Command Execution on Second Web Server.
- September 5: Breach of Two More Computers; Execution of Backdoor. Token Implant.
- September 9: Continuation of Activity on Second Web Server with Unknown PowerShell Script (‘joper.ps1’) Execution and Network Shares Manipulation.
Scope of Compromise:
Symantec identifies malicious activity across at least 12 computers within the victim’s network, with evidence suggesting the deployment of backdoors and keyloggers on numerous additional systems.
Tactics and Techniques:
OilRig’s tactics encompass a diverse array of tools, scripts, and techniques, facilitating reconnaissance, lateral movement, and data exfiltration/harvesting within the compromised network.
Conclusion:
Despite facing challenges, including toolset leaks in 2019, OilRig demonstrates resilience and ongoing activity, posing a significant threat to targeted entities. This prolonged infiltration underscores the necessity for robust cybersecurity measures and vigilant defense strategies to mitigate the risks posed by sophisticated threat actors.
Considering the persistent threat posed by sophisticated cyber actors like OilRig, organizations must bolster their cybersecurity defenses. From enhancing cyber awareness among employees to empowering frontline IT teams with technical training on the latest threat intelligence, organizations must adopt a comprehensive approach to mitigate risks effectively. Leveraging cutting-edge cybersecurity tools and solutions is equally crucial, and that’s where 2b Innovations comes in. As a trusted partner in cybersecurity, 2b Innovations offers a holistic suite of services, ranging from cyber security awareness training to advanced Managed Security Service Provider (MSSP) solutions. By partnering with 2b Innovations, organizations can fortify their defenses against evolving cyber threats, ensuring robust protection of their digital assets and sensitive information. Reach out to 2b Innovations today to discuss how we can help safeguard your organization from cyber-attacks.
