Numerous cyber security researchers are claiming that a short-lived yet sophisticated cyber espionage operation against Israeli technology, medical, defence, and academic targets was carried out by a group dubbed OilRig that is linked to Iran’s intelligence agencies.
OilRig have previously been linked to other operations carried out against Gulf Cooperation Council (GCC) member states where they lured targets to a false Oxford University website, and remotely downloaded malicious software – malware – through a compromised Microsoft Excel application.
The latest attack in Israel started in early April 2017 when OilRig used stolen email addresses from Ben Gurion University to use as a vehicle with which to target others. The stolen emails have a Microsoft Word document attachment that contains malware that is downloaded on to the targeted user’s device if opened.
The flaw in Microsoft Word – technically known as CVE-2017-0199 – that has allowed OilRig to use it as a means to deliver malware to its targets had been identified over nine months ago, and apparently Microsoft were made aware of it at that time. For unknown reasons, however, Microsoft did not release the patch to fix the CVE-2017-0199 flaw until several weeks ago.
“We have recently seen these actors and [other] cyber espionage actors targeting Asia adopt CVE-2017-0199. The vulnerability was a proliferation issue before it was patched, and remains one now,” said John Hultquist, Director of Cyber Espionage Analysis at iSIGHT Partners.
OilRig seem to have made good use of the short period of time between the release of the Microsoft patch and its widespread download by users to send the malware to their Israeli targets.
“The OilRig campaign is a multi-stage kill chain meant to burrow into Israeli critical defense infrastructure,” said Tom Kellermann, CEO of U.S. venture capital firm Strategic Cyber Ventures.
The Israeli Cyber Defence Authority announced on April 26, 2017, that it suspected Iran to be behind the espionage operation, and that it had been largely quelled.
OilRig are among a number of hacker groups linked to Iranian intelligence and the Islamic Revolutionary Guard Corps (IRGC), and are believed to have been founded around 2015. Since then they have evolved into one of the more sophisticated and dangerous Iranian cyber entities.
The latest OilRig operation against Israeli targets was, “the largest and most sophisticated attack they’ve ever performed. It was a major information-gathering [operation],” said Michael Gorelik of Israeli cybersecurity company Morphisec.
“There’s this misconception that they weren’t sophisticated before,” said Adam Meyers of cybersecurity firm CrowdStrike. “This group has been active since 2015 and gone after aviation, energy, financial, and government” targets in a number of GCC countries and Turkey, he said.
“Oilrig will tendril West to the USA due to the Secretary of State and President’s visceral statements on Iran over that past month. The Iranians are not alone, as the Russian Pawn Storm [nation-state hacking] campaign will dramatically ratchet up due to tensions with U.S. and NATO per the Baltics and the French election,” added Kellerman, CEO of Strategic Cyber Ventures in Washington, DC.
Kellerman also asserts that Iranian cyber capabilities are benefiting from the know-how of Russian advisors, and that Iranian hacker groups like OilRig will become even more sophisticated and destructive. “To this point these actors will be more inclined to burn the evidence and house … [the] network via destructive counter-IR [incident response] ‘integrity attacks,’” which could complicate efforts to respond and subsequent investigations, he says.
“I am concerned that watering-hole attacks will increase, delivering 0days and wiper malware,” he added, referring to the use of ‘Zero Day’ exploits – an undiscovered exploitation of an unknown vulnerability – and malware that wipes data from computers rather than just copying and sending it to unauthorised users.
On that point, suspicions are also growing that Iranian cyber entities are behind the wave of Shamoon II cyber attacks against targets in Saudi Arabia that have been occurring since late 2016. The Shamoon II malware is similar in many regards to the original Shamoon attack in 2012 that was attributed to Iran and which destroyed thousands of computers at the Saudi Arabian oil company Aramco and the Qatari company RasGas.
Shamoon II has been attacking numerous Saudi companies and government ministries and agencies, again using false email addresses to deliver an attachment infected with the malware. If downloaded by an unsuspecting user, Shamoon II enters the private network and destroys all data in it.
With the ongoing strategic tensions and proxy wars between Saudi Arabia and Iran, the Shamoon II attack – if attributed to Iran – could be described as a form of economic warfare against Saudi interests.