20 June 2019

RIP APT34: Russian spies penetrated OilRig infrastructure to deploy malware

RIP APT34: Russian spies penetrated OilRig infrastructure to deploy malware

There’s no guarantee that any state-sponsored hacking group can keep a tight grip on its own infrastructure, shows a new report from a cyber security firm Symantec. The researchers have uncovered evidence that Russian-speaking group known as Turla (other names Snake or Waterbug) conducted hostile takeover of servers belonging to a rival hacking group called OilRig (APT34, Crambus) previously linked by security experts to Iranian government.

The hijacking apparently took place in January 2018, when a variant of the credential-stealing tool Mimikatz was downloaded on a computer in a Middle Eastern government organization from a server previously controlled by OilRig. Mimikatz was downloaded via the Powruner tool and the Poison Frog control panel. Both the infrastructure and the Powruner tool have been publicly tied to OilRig by a number of researchers.

Symantec believes that the variant of Mimikatz used in this attack is unique to Turla, as it was extensively modified, with almost all original code stripped out. Turla is known for its use of heavily modified publicly available tools, something that is not a common practice for OilRig.

While it’s possible the two groups were collaborating, Symantec said it found no evidence to support that possibility. According to the report, the hijacking of the OilRig’s infrastructure is likely an opportunistic move for Turla and there is no evidence that Iranian group retaliated against the intruders.

As for the reasons behind the hijacking, there are several possible explanations: it could be a false flag tactics to throw investigators off the track, or it might be possible that Turla wanted to compromise the target organization, but found out that the place was taken, and instead hijacked the infrastructure as a means of gaining access, said the researchers. Also there is a possibility that the version of Mimikatz downloaded by the OilRig infrastructure was actually created by the Iranian APT, but this is highly unlikely considering the compilation technique and the fact that the only other occasion it was used was linked to Turla.

The takeover of OilRig’s server was part of a series of active operations carried out by Turla in the last year and half against 13 organizations in 10 different countries. The list of targeted entities include government ministries in Europe, Latin America, the Middle East, and South Asia, as well as organizations in the IT and education sector. In the recent campaigns the group has used “a swath of new tools”, including custom malware, modified versions of publicly available hacking tools, and legitimate administration tools.

Back to the list

Latest Posts

“Agent Smith” malware infected more than 25 million Android devices

“Agent Smith” malware infected more than 25 million Android devices

The malware leverages known Android exploits and automatically replaces installed apps with malicious clones without users’ knowledge or interaction.
15 July 2019
Magecart hackers copromised more than 17K sites via misconfigured Amazon S3 buckets

Magecart hackers copromised more than 17K sites via misconfigured Amazon S3 buckets

Since the beginning of the campaign in April 2019 the group has continuously been scanning the Internet for insecure Amazon S3 buckets.
12 July 2019
Recently patched Windows zero-day exploited in Buhtrap cyber-espionage campaign

Recently patched Windows zero-day exploited in Buhtrap cyber-espionage campaign

The exploit for CVE-2019-1132 created by the Buhtrap group relies on popup menu objects.
11 July 2019
Featured vulnerabilities
Denial of service in MatrixSSL
Medium Patched | 15 Jul, 2019
Denial of service in Apple iMessage
Medium Patched | 15 Jul, 2019
Multiple vulnerabilities in Redis
Medium Patched | 11 Jul, 2019
Reverse Tabnabbing in Quill
Low Not Patched | 11 Jul, 2019
Remote code injection in domokeeper
High Not Patched | 11 Jul, 2019