Iranian Cyber Activity Rising: Leafminer, OilRig Leading the Way

Once again, cybersecurity researchers have Iran in their sights. Symantec, Palo Alto Networks, and German intelligence are all accusing Tehran of numerous cyber campaigns that have recently come to light .

The widely-known OilRig group (aka Helix Kitten, PT34) have been singled out by Unit 42 researchers due to multiple attacks launched between May and June of this year. The researchers stated that the campaign involved three separate waves of attacks and that all three used a single spear phishing email that had been purposely created to look like it was from a Middle Eastern government agency.

Unit 42 wrote in a report: “Based on our telemetry, we have high confidence the email account used to launch this attack was compromised by the OilRig group, likely via credential theft.”

This time, the group was after an unnamed government entity and a technology services provider whose name was also not released. Using a huge level of obfuscation, OilRig made the malicious emails appear to have come from the exact same country that was under cyber attack; however, Unit 42 determined the attack’s origin was a different country that was most-likely using credentials it had stolen.

This particular attack involved the deliverance of the QUADAGENT PowerShell backdoor which is a tool that has been linked to OilRig by FireEye and ClearSky Cybersecurity, according to a statement made by Unit 42.

The group responsible for the spear phishing attack put a whole lot of effort into uncovering the email address of their target. Since discovering the email addresses using common internet search engines was not an easily achieved. The researchers felt that this was an indication that the hacker group’s targets were probably on a target list that had been collected before the execution of the actual attack, or that it was possible that known associates of the email accounts that were compromised were used in the sending of the attack messages.

In all of the attacks, a portable executable file was the deliverable, and when it was downloaded, it inserted the backdoor, built in persistence, and contacted its command-and-control server. After that, it continued to silently run.

Symantec researchers discovered Leafminer, a new espionage campaign that was found to be based out of Iran, as well. So far, it has attacked a lengthy list of businesses and governments all across the Middle East. Locations include Saudi Arabia, Iran, Israel, Pakistan, and Egypt.

Symantec wrote in their report: “Leafminer is a highly active group, responsible for targeting a range of organizations across the Middle East. The group appears to be based in Iran and seems to be eager to learn from and capitalize on tools and techniques used by more advanced threat actors.

Numerous portions of evidence were pieced together by Symantec researchers and that evidence placed Leafminer as being based in Iran. 809 separate targets on a hit list that was written in the Farsi language was discovered, and back in June of this year, researchers also uncovered a server housing 112 files that were all accessible via a web shell that the hacker group had planted.

The country that was hit the most was Saudi Arabia, which Iran considers to be a major enemy. 28 systems in Saudi Arabia were infected. In 2nd place was Lebanon having had 8 of their systems infected, and Israel and Kuwait were in 2rd and 4th place. Saudi Arabian healthcare facilities and the Lebanese intelligence agency were among those targeted.

Thoughts or comments on this article? Please leave them below.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients