20 June 2019

RIP APT34: Russian spies penetrated OilRig infrastructure to deploy malware

RIP APT34: Russian spies penetrated OilRig infrastructure to deploy malware

There’s no guarantee that any state-sponsored hacking group can keep a tight grip on its own infrastructure, shows a new report from a cyber security firm Symantec. The researchers have uncovered evidence that Russian-speaking group known as Turla (other names Snake or Waterbug) conducted hostile takeover of servers belonging to a rival hacking group called OilRig (APT34, Crambus) previously linked by security experts to Iranian government.

The hijacking apparently took place in January 2018, when a variant of the credential-stealing tool Mimikatz was downloaded on a computer in a Middle Eastern government organization from a server previously controlled by OilRig. Mimikatz was downloaded via the Powruner tool and the Poison Frog control panel. Both the infrastructure and the Powruner tool have been publicly tied to OilRig by a number of researchers.

Symantec believes that the variant of Mimikatz used in this attack is unique to Turla, as it was extensively modified, with almost all original code stripped out. Turla is known for its use of heavily modified publicly available tools, something that is not a common practice for OilRig.

While it’s possible the two groups were collaborating, Symantec said it found no evidence to support that possibility. According to the report, the hijacking of the OilRig’s infrastructure is likely an opportunistic move for Turla and there is no evidence that Iranian group retaliated against the intruders.

As for the reasons behind the hijacking, there are several possible explanations: it could be a false flag tactics to throw investigators off the track, or it might be possible that Turla wanted to compromise the target organization, but found out that the place was taken, and instead hijacked the infrastructure as a means of gaining access, said the researchers. Also there is a possibility that the version of Mimikatz downloaded by the OilRig infrastructure was actually created by the Iranian APT, but this is highly unlikely considering the compilation technique and the fact that the only other occasion it was used was linked to Turla.

The takeover of OilRig’s server was part of a series of active operations carried out by Turla in the last year and half against 13 organizations in 10 different countries. The list of targeted entities include government ministries in Europe, Latin America, the Middle East, and South Asia, as well as organizations in the IT and education sector. In the recent campaigns the group has used “a swath of new tools”, including custom malware, modified versions of publicly available hacking tools, and legitimate administration tools.

Back to the list

Latest Posts

New espionage campaign targets diplomatic missions and governmental institutions in Eastern Europe

New espionage campaign targets diplomatic missions and governmental institutions in Eastern Europe

The Attor malware comes with some unusual capabilities including the use of encrypted modules, Tor-based communications, and a plugin designed for GSM fingerprinting.
11 October 2019
Iran-linked Charming Kitten APT updates its arsenal with new spear-phishing techniques

Iran-linked Charming Kitten APT updates its arsenal with new spear-phishing techniques

The Iranian state-sponsored hackers Charming Kitten employed new spear-phishing methods in a campaign observed in August and September.
10 October 2019
Hackers hit Volusion e-commerce sites in pursuit of customers’ credit card data

Hackers hit Volusion e-commerce sites in pursuit of customers’ credit card data

It is estimated that more than 6,500 sites are affected, that number could be even higher.
10 October 2019
Featured vulnerabilities
Remote code execution in Bento4 media player
High Not Patched | 13 Oct, 2019
Use-after-free in libvips library
Medium Patched | 13 Oct, 2019
Denial of service in MATIO
Low Not Patched | 13 Oct, 2019
Cross-site scripting in Openfire
Low Patched | 12 Oct, 2019