APT24 OilRig group active in new phishing campaign
Target: Middle East/USA/Possibly UK & Europe
Attack Vector: Phishing Campaign
Threat Actor: APT34 OilRig
Summary: The Iranian APT24 group (aka OilRig) appears to have been active in a sophisticated phishing campaign from November 2017 onwards. Intelligence indicates the group has evolved and introduced new malware and data exfiltration techniques against a number of Middle Eastern targets. During its latest activities, it appears OilRig has employed around 20 different tools which include off the self, dual purpose utilities as well as previously undetected malware which used Google Drive and SmartFile as well as the Internet Server Application Programming Interface (ISAPI) filter for compromising IIS servers.
Risk assessment summary: It is currently assessed that APT34 OilRig present a 2c HIGH threat to a broad spectrum of sectors. Whilst the group usually operates in support of Iranian strategic interests within the Middle East, it has also operated beyond the region against the United States during a period which coincided with internal unrest which Tehran laid at Washington’s door. Given that the UK is seen as a major weapons and intelligence supplier to Iran’s main regional rival Saudi Arabia, then this willingness to attack entities beyond the region increases the possibility that UK organisations could potentially be considered valid targets.
Iran also continues to be a key player in both the Syrian and Yemen conflicts and is closely allied to Russia both politically and militarily. This alliance is almost certainly one of the factors in the increasing sophistication of OilRig activity and it may be that Tehran is still employing Russian “Hackers For Hire” as a means of enhancing the country’s offensive cyber capabilities. Such cooperation would certainly suit Moscow, who would undoubtedly benefit from intelligence sharing with Iran, whilst also being able to benefit from “plausible deniability”.
In the current diplomatic climate where the United States has just expelled 60 Russian diplomats as a result of the alleged Russian poisoning of Sergei Skripal, the use of Iranian actors to carry out “proxy” attacks would also be a useful means of obfuscation in any forthcoming campaign against the West. If this proves to be the case, it may be possible to draw some commonalities between the TTP’s used by both Russian and Iranian APT’s. With this in mind, it is recommended that system users remain vigilant for plausible seeming email lures which are designed to specifically appeal to the recipient. Monitoring of the threat environment will continue in order to identify further actionable intelligence.