Iran-Linked 'OilRig' Cyberattackers Target Israel's Critical Infrastructure, Over & Over

Cyber Security Threat Summary:
Summary: In 2022, Israeli organizations faced a wave of cyberattacks orchestrated by OilRig, an Iranian advanced persistent threat group also known as APT34, Helix Kitten, or Cobalt Gypsy. These attacks showcased the deployment of novel downloaders SampleCheck5000, ODAgent, and OilBooster crafted to exploit Microsoft cloud services for communication and data extraction. What sets these attacks apart was the strategic utilization of Microsoft OneDrive, Microsoft Graph OneDrive API, Microsoft Graph Outlook API, and Microsoft Office EWS API for command and control activities. Targets included healthcare facilities, manufacturing firms, local government bodies, and undisclosed entities in Israel, all of which had previously fallen victim to OilRig.

Despite their relative simplicity, these downloaders integrated with legitimate cloud services enabled OilRig to camouflage their malicious activities within regular network traffic. This technique facilitated persistent targeting of previously compromised victims, showcasing their adaptability.

Security Officer Comments:
OilRig, Operational since 2014 and focusing on industries like chemicals, energy, finance, and telecommunications in the Middle East, specializes in cyber espionage. Notably, their activities led to sanctions from the US government due to suspected support from Iran’s Intelligence arm.

The downloaders employed by OilRig, although varied in functionality, share a common approach of utilizing shared email or cloud storage accounts for operator communication. Predominantly written in C+/.Net, except for OilBooster coded in Microsoft Visual C/C++, each downloader has its distinct method of accessing and exchanging data.

Suggested Correction(s):

  • Organizations can make APT groups’ lives more difficult. Here’s how:
  • Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
  • Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
  • Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
  • Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.