CSC News Table of Contents
Iranian Nation-State Actor OilRig Targets Israeli Organizations: In recent developments, Iranian state-sponsored hacking group OilRig, also known as APT34, has been found targeting Israeli organizations through two distinct cyber campaigns in 2021 and 2022.
These campaigns, termed Outer Space and Juicy Mix, involved the utilization of previously identified first-stage backdoors, Solar and Mango, for data collection purposes.
Key Takeaways to Iranian Nation-State Actor OilRig Targets Israeli Organizations:
- Iranian hacking group OilRig, also known as APT34, has conducted cyber campaigns named Outer Space and Juicy Mix against Israeli organizations in 2021 and 2022.
- The campaigns employed Solar and Mango, two known first-stage backdoors, to gather sensitive data from major web browsers and the Windows Credential Manager.
- OilRig, affiliated with Iran’s Ministry of Intelligence and Security (MOIS), has been active since 2014, demonstrating a persistent focus on information theft.
Unveiling the Iranian Cyber Campaigns: Outer Space and Juicy Mix
OilRig’s Ongoing Cyber Activities
OilRig, a nation-state hacking group linked to Iran’s Ministry of Intelligence and Security (MOIS), has come into the spotlight for conducting cyber campaigns targeting Israeli organizations.
These campaigns, identified as Outer Space and Juicy Mix, have been executed in 2021 and 2022, respectively.
Notably, OilRig is also recognized under aliases such as APT34, Cobalt Gypsy, Hazel Sandstorm, and Helix Kitten.
Exploiting Known Backdoors: Solar and Mango
Both Outer Space and Juicy Mix campaigns leveraged two previously documented first-stage backdoors: Solar and Mango. These backdoors were utilized to extract sensitive information from prominent web browsers and the Windows Credential Manager.
It is suspected that these backdoors were disseminated through spear-phishing emails.
OilRig’s Flexibility and Diverse Tools
OilRig has demonstrated flexibility in its cyber operations. Earlier this year, the group was discovered employing a simple backdoor to pilfer user credentials, showcasing its ability to develop new malware tailored to specific targets and access levels.
The group has also been observed using SideTwist in a phishing attack, likely aimed at U.S. businesses.
Focus on Israeli Targets
OilRig’s sustained focus on Israeli targets is evident in its cyber activities. Spear-phishing lures have been employed to trick potential victims into installing malware through malicious email attachments.
The group’s strategies involve compromising legitimate websites to serve as command-and-control servers for its backdoors.
Detailed Insights into the Attacks
In the Outer Space campaign observed in 2021, OilRig compromised an Israeli human resources website, subsequently using it as a command-and-control server for the Solar backdoor.
Solar, a C#/.NET backdoor, facilitated the download and execution of files, as well as the extraction of data from the Chrome web browser.
Advanced Techniques in the Juicy Mix Campaign
In the Juicy Mix campaign of 2022, OilRig employed the Mango backdoor, an enhanced version of Solar, featuring additional capabilities and obfuscation methods.
The compromised target in this instance was a legitimate Israeli job portal website.
Continued Innovation and Persistent Threat
OilRig continues to evolve and create new cyber implants with backdoor-like functionalities, consistently seeking novel ways to execute commands on remote systems.
The group employs custom post-compromise tools to collect credentials, cookies, browsing history, and data from the Windows Credential Manager.
Conclusion
The revelation of OilRig’s cyber campaigns targeting Israeli organizations emphasizes the critical importance of robust cybersecurity measures.
As a persistent and adaptive threat actor, OilRig underscores the need for heightened vigilance and security in safeguarding against evolving cyber threats.
About OilRig (APT34):
OilRig, also known as APT34, is a nation-state hacking group associated with Iran’s Ministry of Intelligence and Security (MOIS). Active since 2014, this threat actor has displayed a consistent focus on cyber espionage and information theft, using a variety of cyber tools and techniques to achieve its objectives.
