TrapX, a U.S.-based cyber security and research company, are claiming that the OilRig hacker group that is linked to Iran’s intelligence agencies have potentially established links with Russian hackers-for-hire, according to a May 15, 2017, report in The New York Times.
The possible Russian connection to OilRig was discovered in April 2017 by TrapX cyber security employees when they were defending an unnamed U.S. defence company from an OilRig cyber attack. The operation against OilRig apparently saw real-time clashes with the hackers as TrapX defenders literally saw OilRig attempt to penetrate their client’s servers, and would immediately shut them down. A few days later, TrapX defenders would see OilRig attempt another intrusion and again would thwart their attack as it happened.
It was in the course of these attempted intrusions into their client’s servers that TrapX defenders noticed the OilRig hackers started to use a tool set developed by a notorious Russian hacker-for-hire, and previously used in a Russian-linked cyber attack against the Ukrainian power grid in 2015.
The use of this tool set could have been coincidental, potentially the result of an OilRig member purchasing it from the Russian hacker-for-hire off of the Dark Web. But it was the use of Russian registered domain names and email addresses that were used in the attack against the TrapX client’s servers that raised suspicions that Russian hackers were working with Iran-linked OilRig.
OilRig have previously been linked to other operations carried out against Gulf Cooperation Council (GCC) member states where they lured targets to a false Oxford University website, and remotely downloaded malicious software – malware – through a compromised Microsoft Excel application.
The latest attack in Israel started in early April 2017 when OilRig used stolen email addresses from Ben Gurion University to use as a vehicle with which to target others. The stolen emails have a Microsoft Word document attachment that contains malware that is downloaded on to the targeted user’s device if opened.
“This is the very first time we’ve cataloged an attack where Iranian hackers are working with Russian hackers-for-hire,” said Carl Wright, a TrapX executive to The New York Times.
OilRig are among a number of hacker groups linked to Iranian intelligence and the Islamic Revolutionary Guard Corps (IRGC), and are believed to have been founded around 2015. Since then they have evolved into one of the more sophisticated and dangerous Iranian cyber entities.
“Oilrig will tendril West to the USA due to the Secretary of State and President’s visceral statements on Iran over that past month. The Iranians are not alone, as the Russian Pawn Storm [nation-state hacking] campaign will dramatically ratchet up due to tensions with U.S. and NATO per the Baltics and the French election,” said Tom Kellerman, CEO of Strategic Cyber Ventures in Washington, DC, after the OilRig cyber espionage operation in April 2017.
At the time, Kellerman asserted that Iranian cyber capabilities are benefiting from the know-how of Russian advisors, and that Iranian hacker groups like OilRig will become even more sophisticated and destructive. “To this point these actors will be more inclined to burn the evidence and house … [the] network via destructive counter-IR [incident response] ‘integrity attacks,’” which could complicate efforts to respond and subsequent investigations, he said.
In previous years there have been persistent but largely unfounded rumours that Iranian cyber espionage and warfare organisations and proxies have been receiving Russian, Chinese, and even North Korean advice and assistance.