Update and unrelated to OilRig and reported May 18: Russia tried to take over Pentagon Twitter accounts: report
SCMedia: Attacks believed to be Iranian in origin were fended off for more than two weeks in April, but security experts examining the code detected snippets of code from an underground Russian marketplace.
Attacks believed to be Iranian in origin were fended off for more than two weeks in April, but security experts examining the code detected something they’d never seen before: snippets of code baring similarities to a known Russian toolkit available on the underground Russian marketplace.
The code had previously been used in a damaging cyber-attack on the Ukraine’s infrastructure in 2015.
Carl Wright, general manager and executive vice president of worldwide sales at TrapX Security, the San Mateo, California-based security firm that blocked the hackers last month, told an interviewer it was the first time his firm had detected an attack where hackers based in Iran were collaborating with Russian hackers-for-hire, according to an article in the New York Times.
Wright could not reveal the target of the attack owing to a confidentiality arrangement. But other security experts said the attackers could have purchased the Russian toolkit from an online forum and customised it for their campaign.
This hypothesis is countered by TrapX researchers, however, who noted that a number of “web domains used in the attack had been registered to a Russian alias, and that three email addresses continue to be used by a hacker in Russian hacking forums and in the underground web.”
The Iranian attackers behind the latest campaign, dubbed OilRig for their previous attacks on oil companies in Saudi Arabia and Israel, have been expanding their geographical range with hundreds of new attacks targeting a number of military, financial and energy companies in Europe as well as the United States, the Times reported.
Nearly three-quarters of the code employed in the latest campaign was previously used by OilRig in hundreds of attacks on other enterprises, including government agencies and oil companies.
But, as the defences of the newest target became more robust and the attackers evolved their tactics, the security researchers noted new weapons in their arsenal: a typical hacker’s kit, used to siphon out data, such as to steal usernames and passwords; but, more revealing, a tool never before detected in an OilRig campaign.
This was obfuscated with encryption to evade security investigators. After weeks spent decrypting the code, the researchers at TrapX determined that besides code similar to that used by OilRig in prior attacks, the bad actors were employing malware called BlackEnergy, also used previously, specifically by the Russian hackers who attacked the Ukraine power grid. Further, data was being transferred from the target to a server also used in the Ukraine attack.
TrapX lured the miscreants to inject their malware onto a server, which was then analysed by the TrapX team who were able to then shut the attackers out of their client’s system.
*** There is more:
Iranian hackers which previously targeted organizations in Saudi Arabia are now targeting organizations in other countries, including the US, as part of a campaign identified as OilRig campaign.
In addition to expanding its reach, the group has been enhancing its malware tools.Researchers at Palo Alto Networks have been monitoring the group for some time and havereported observing launched by a threat actor against financial institutions and technology companies in Saudi Arabia and on the Saudi defense industry. This campaign referred to as “ ,” by Palo Alto Networks, entails weaponized Microsoft Excel spreadsheets tracked as“Clayslide” and a backdoor called “Helminth.” More here.
The Israeli Cyber Defense Authority yesterday announced that it believes Iran was behind the a series of targeted attacks against some 250 individuals between April 19 and 24 in government agencies, high-tech companies, medical organizations, and educational institutions including the renowned Ben-Gurion University. The attackers – whom security experts say are members of the so-called OilRig aka Helix Kitten aka NewsBeef nation-state hacking group in Iran — used stolen email accounts from Ben-Gurion to send their payload to victims.
“This is the largest and most sophisticated attack they’ve [OilRig] ever performed,” says Michael Gorelik, vice president of R&D for Morphisec, who studied the attacks and confirms that the final stage was thwarted for the most part. “It was a major information-gathering [operation],” he says.
OilRig has been rapidly maturing since it kicked off operations around 2015. The attack campaign against Israeli targets employed the just-patched Microsoft CVE-2017-0199 remote code execution vulnerability in the Windows Object Linking and Embedding (OLE) application programming interface. This flaw had been weaponized in attacks prior to the patch, including Dridex banking Trojan and botnet attacks, and in at least one other cyber espionage campaign.
Forbes has more on corporate and individual hack operations in the United States by OilRig including other countries.