Earlier this month, a prolific hacking group said to be sponsored by Iran had its cyber arsenal leaked. A bundle of tools and target information belonging to the crew, dubbed OilRig, were thrown up on the web for all and sundry to see, marking the most significant leak of Iran’s cyber weaponry to date.
Now researchers who’ve gone through the data dump claim the group was targeting 97 different organizations across 27 countries. Organizations on the Oil Rig hit list included government, media, energy, transportation, logistics and technology service providers. And along the way, Oil Rig stole 13,000 stolen credentials for logging into targets’ online services, according to an analysis released Tuesday by U.S. cybersecurity firm Palo Alto Networks.
Forbes detailed OilRig’s early operations in February 2017, when it compromised a small American software company as a platform to attack other targets. It was – and still is – one of Iran’s most prolific cyber espionage units. Last year, the U.S. National Counterintelligence and Security Center named OilRig as an Iranian state-backed operation, as had already been claimed by cybersecurity researchers.
What’s in the leak?
The leak landed a month after a hacker with the user handle Mr_L4nnist3r claimed to have access to a trove of OilRig files. Nothing emerged from that particular account, but in early April, posts from a Twitter user @dookhtegan1 also promised to leak data on OilRig’s operations. They posted a link to a chat group on messaging app Telegram, which was swiftly downloaded by researchers.
Of the usernames and passwords pilfered by OilRig, many appeared to have been stolen from a single organization’s Active Directory. Gaining access to a company’s entire Active Directory – typically the repository where businesses hold the majority of their usernames and passwords – is the Holy Grail for any digital spy. It would allow hackers into vast areas of a company network without raising any flags, as they appeared to be a legitimate user.
The dump also included a handful of OilRig’s hacking tools. They included one that allowed OilRig operators to hijack connections going via the domain name system (DNS). The DNS is often called the phone book of the web, as it’s what routes a user’s PC or phone through to the right web server when they type in an address or click on a link. If hackers can hijack the DNS, they can route a target’s web activity to their own servers where they could set up phishing pages to trick people into handing over their login details. (This was not the same DNS attack as Forbes reported on last week, which affected many North African and Middle Eastern organizations). Also included in the leak were a number of backdoor tools used to gain persistent access to target networks.
Victims were primarily based in the Middle East region, Palo Alto researchers said. Jordan, Saudi Arabia and the UAE were subjected to more attacks than others. That chimed with a brief analysis from a researcher who went by the name MisterCh0c, who listed a number of web servers the Oil Rig attackers had targeted. MisterCh0c told Forbes shortly after the leak that he’d spoken with the leaker and they’d claimed to have access to 40 gigabytes of OilRig files and wanted to sell them for $30,000. Forbes could not get hold of Mr_L4nnist3r for validation of that claim.
Amongst the many web servers listed by MisterCh0c as a target was one for the Saudi Arabian Communications and Information Technology Commission. Another was the Dubai Statistics Association. Forbes had not received a response from the two organizations at the time of publication. It’s unclear if they were simply targets or had been successfully breached.
Chronicle of a leak
Shortly after the leak, researchers from Chronicle, a cybersecurity startup founded by Google owner Alphabet, went through the trove of data. It found a small handful of targets were based outside the Middle East, including a telecoms company in Zimbabwe, government bodies in Albania, and a South Korean gaming company. None of the victims’ names were revealed.
Looking at the OilRig files, Brandon Levene, head of applied intelligence at Chronicle, told Forbes that organizations who had failed to carry out basic hygiene were more susceptible to attack carried out by hackers with time and resources.
“Sophistication is in the eye of the beholder; it’s a subjective term. Typically all a successful intruder needs is time and focus,” he added. “These tools are focused on gaining and maintaining access. Typically, most organizations omit the fundamentals when establishing security programs: this allows threat actors of all sorts to be effective.”
Source » forbes