OilRig (APT34)

OilRig, also known as APT34, Helix Kitten, and various other aliases, is a sophisticated and persistent cyber espionage group widely believed to be operating on behalf of the Iranian government. This threat actor has been active since at least 2014, primarily targeting organizations in the Middle East, although their operations have extended globally. OilRig focuses on industries of strategic interest to Iran, including government, technology services, energy, oil, telecommunications, and critical infrastructure. Their primary objective is intelligence gathering to support Iran's geopolitical strategies. OilRig is known for its adaptability, constantly evolving its tactics, techniques, and procedures (TTPs) to evade detection and maintain access to compromised networks. This article provides a deep dive into OilRig's history, TTPs, notable campaigns, and defense strategies.

Origins & Evolution

OilRig first came to the attention of the cybersecurity community around 2016, with initial attacks targeting Saudi Arabian organizations. However, evidence suggests the group may have been active as early as 2012. While precise attribution is always complex, OilRig is widely believed to be linked to Iranian state interests, and specifically associated with the Iranian Ministry of Intelligence and Security (MOIS). This attribution is based on factors such as targeting alignment with Iranian geopolitical goals, use of infrastructure linked to Iranian operations, timing of attacks, and analysis of malware code and techniques.

Over time, OilRig's tactics have evolved considerably. Early campaigns relied on spearphishing emails with malicious attachments delivering the Helminth backdoor. Later, the group shifted to custom malware like QUADAGENT and ISMAgent, often leveraging open-source tools like Invoke-Obfuscation for code obfuscation. They have also incorporated exploits for known vulnerabilities, such as CVE-2017-11882 and CVE-2024-30088, demonstrating their ability to rapidly weaponize newly disclosed flaws. One should have patch management strategy to avoid the exploitation of vulnerabilities.

OilRig has been linked, often through shared infrastructure or objectives, to other Iranian threat actors, including Crambus, GreenBug, and Cobalt Gypsy. The group’s activities have also reportedly overlapped with those of APT33 (Elfin). A significant event in OilRig's history was the April 2019 leak of the group's cyber-espionage tools' source code on Telegram. This leak exposed some of their inner workings and may have influenced their subsequent operational changes. They might have changed their techniques after the leak.

Tactics & Techniques

OilRig employs a diverse range of tactics, techniques, and procedures (TTPs), showcasing their sophistication and adaptability. Their operations typically involve multiple stages, from initial access to data exfiltration, with a strong emphasis on maintaining persistence and evading detection. The following is a breakdown of OilRig's TTPs, organized according to the MITRE ATT&CK framework:

* T1566 Phishing: OilRig heavily relies on spearphishing, using both malicious attachments (often Microsoft Office documents with macros) and malicious links. They frequently employ social engineering techniques, sometimes leveraging platforms like LinkedIn.

* T1078 Valid Accounts: The group uses compromised credentials, often obtained through spearphishing, to gain initial access.

* Drive-by Compromise: Watering hole attacks, potentially targeting credentials for ICS network access.

* T1059 Command and Scripting Interpreter: OilRig extensively uses PowerShell and VBScript, often embedding scripts within macros or using them to decode files.

* T1204 User Execution: Many of their attacks rely on user interaction, such as opening a malicious attachment or enabling macros.

* T1053 Scheduled Task/Job: OilRig frequently creates scheduled tasks to ensure their payloads are executed regularly, maintaining persistence.

* External Remote Services: Leverages remote services like VPN, Citrix, or OWA for persistence.

* T1068 Exploitation for Privilege Escalation: The group has been observed exploiting vulnerabilities, such as CVE-2024-30088 (Windows Kernel Elevation of Privilege), to gain higher-level privileges. One way to prevent this is following least privilege principle.

* T1027 Obfuscated Files or Information: OilRig utilizes techniques like Invoke-Obfuscation to obfuscate their PowerShell scripts.

* T1140 Deobfuscate/Decode Files or Information: They often use Base64 encoding to hide malicious code.

* Masquerading: Uses .doc file extensions to disguise malicious executables.

* Virtualization/Sandbox Evasion: Checks for a connected mouse to avoid analysis in virtualized environments.

* T1003 OS Credential Dumping: OilRig has been known to use tools like Mimikatz to dump credentials from LSASS memory.

* T1555 Credentials from Password Stores: They use tools like VALUEVAULT and custom DLLs (e.g., psgfilter.dll) to steal credentials from Windows Credential Manager and intercept plaintext passwords.

* T1016 System Network Configuration Discovery: OilRig gathers network information for reconnaissance.

* Account Discovery: Extensive use of net commands (net user, net group) to enumerate local and domain accounts.

* Network Service Discovery: Utilizes tools like SoftPerfect Network Scanner and GOLDIRONY.

* System Information Discovery: Employs tasklist, netstat -an, sc query, and reg query.

* Password Policy Discovery: Uses net accounts /domain.

* Peripheral Device Discovery: Checks for mouse presence.

* T1021 Remote Services: OilRig uses tools like Putty for SSH access and leverages compromised credentials to move laterally within networks.

* T1056 Input Capture: Employs keyloggers, like KEYPUNCH and LONGWATCH.

* Screen Capture: Uses CANDYKING to capture screenshots.

* T1573 Encrypted Channel: OilRig uses encrypted channels, often employing tools like Plink for secure tunneling, to communicate with C2 servers.

* T1071 Application Layer Protocol: They use HTTP/HTTPS for C2 communication, with a fallback to DNS tunneling in some cases.

* T1572 Protocol Tunneling: Employs Plink and other tools for creating tunnels to C2 servers.

* Fallback Channels: Uses DNS tunneling as a fallback communication mechanism if HTTP C2 fails.

* T1048 Exfiltration Over Alternative Protocol: OilRig has been observed using FTP for data exfiltration.

* Exfiltration via Exchange Exfiltration of stolen credentials and other sensistive documents via email attachements using compromised Exchange accounts.

* T1497 Virtualization/Sandbox Evasion: Checks for analysis environments.

* Drive-by Compromise: Utilizes watering hole attacks to collect credentials which could be used to gain access into ICS networks

* Scripting: embedded a macro within spearphishing attachments that has been made up of both a VBScript and a PowerShell script

* Spearphishing Attachment: used spearphishing emails with malicious Microsoft Excel spreadsheet attachments

Targets or Victimology

OilRig's targeting aligns closely with Iran's geopolitical interests. Their primary focus is on the Middle East, with a particular emphasis on countries like Saudi Arabia, Israel, and the United Arab Emirates. However, they have also targeted organizations in the United States, Europe, and other regions. One should understand what is threat intelligence to defend against these threat actors.

The industries most frequently targeted by OilRig include:

OilRig's motivations are primarily espionage-driven. They seek to gather intelligence that can benefit Iran's strategic decision-making, economic development, and national security. This includes collecting sensitive information about government policies, military capabilities, economic activities, and critical infrastructure. The potential impact of OilRig's attacks includes data breaches, operational disruption, intellectual property theft, and compromise of national security. Organizations should implement robust security logging and monitoring mechanisms.

Attack Campaigns

OilRig has been involved in numerous significant attack campaigns over the years, demonstrating their persistence and evolving capabilities. Some notable examples include:

Defenses

Defending against a sophisticated and persistent threat actor like OilRig requires a multi-layered approach encompassing technical controls, security awareness training, and proactive threat hunting. Some key defense strategies include:

* Multi-Factor Authentication (MFA): Implement MFA for all critical systems and accounts, particularly for remote access and email.

* Strong Password Policies: Enforce strong, unique passwords and regular password changes.

* Least Privilege Principle: Restrict user privileges to the minimum necessary for their job functions.

* Isolate Critical Systems: Separate critical systems and networks from less sensitive ones to limit the impact of a potential breach.

* Microsegmentation: Implement microsegmentation to further restrict lateral movement within the network.

* Control Inter-Segment Communication: Strictly control communication between network segments.

* Prioritize Critical Patches: Rapidly apply patches for vulnerabilities known to be exploited by OilRig, such as CVE-2024-30088.

* Virtual Patching: Consider virtual patching solutions to provide immediate protection while waiting for official patches.

* Regular Vulnerability Scanning: Conduct regular vulnerability scans to identify and address weaknesses in systems and applications.

* Endpoint Detection and Response (EDR): Deploy EDR solutions to monitor endpoint activity and detect malicious behavior.

* Behavior-Based Detection: Utilize security tools that can identify anomalous behavior, even if the specific malware is unknown.

* Enhance Virtualization/Sandbox Capabilities: Improve the ability to analyze suspicious files and emails in isolated environments.

Conclusion

OilRig (APT34) remains a significant cyber espionage threat, demonstrating persistent activity, technical expertise, and a willingness to adapt its tactics. Their focus on the Middle East and industries of strategic importance to Iran underscores their likely state-sponsored nature. Cybersecurity teams must proactively adjust their defense strategies to account for OilRig's evolving TTPs, including their use of custom malware, exploitation of vulnerabilities, and abuse of legitimate cloud services. Robust monitoring, layered defenses, and a strong emphasis on security awareness are crucial for mitigating the risk posed by this sophisticated threat actor. Staying informed about the latest threat intelligence and implementing proactive security measures are essential for organizations to protect themselves from OilRig's persistent and evolving threat. One can use SOAR to do automation and orchestration in cybersecurity

Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this. 

You may also like these articles: