In the last few weeks, hacking tools apparently used by a prolific Iran-linked group have been publicly leaked, exposing the hackers’ malicious code, the IP addresses of their servers, and their alleged victims.
An unknown person or group began dumping the information last month via Telegram, and has since doxed alleged members of the group known to the cybersecurity community as OilRig, APT34, or Helix Kitten.
Whoever is behind the Telegram channel claimed to expose the “names of the cruel managers” behind OilRig, and pointed the finger at the Iranian intelligence ministry.
While the ties of those individuals to OilRig has not been confirmed, a remote-access trojan and other tools, which have since been posted to GitHub, are authentic and employed by the group, researchers tell CyberScoop. They have been used in a series of hacking campaigns in recent years that industry analysts say align with the interests of the Iranian government. Targets in those operations have included other Middle Eastern governments, and organizations in the aerospace, energy, and financial sector, according to researchers.
A cat-and-mouse game could follow the data dump, analysts say. With the malicious tools more squarely in the public eye, companies could build better defenses, forcing the hackers to reconfigure some of their tools to meet their objectives. On the other hand, cybersecurity analysts have tracked and reported on the group’s tools for some time, and the hackers have still been successful.
“[T]his sort of insight into their tooling does give defenders a unique advantage and a unique way to begin detecting” some of these techniques, said Brandon Levene, head of applied intelligence at Alphabet’s Chronicle.
One of the takeaways from the data dump was OilRig’s preference for “web shells,” which use web application vulnerabilities to write files to a server. From the leak, Kaspersky Lab researcher Alexey Firsh flagged more than 100 web shells that OilRig had reportedly deployed on servers around the world.
— Alexey Firsh (@alexey_firsh) April 17, 2019
Alexander Heid, chief security officer at SecurityScorecard, said companies should use the leaked data to check if any of the OilRig web shells are on their servers.
“Companies and enterprises who run Windows IIS servers and ASPX applications should make use of the leaked codebase to determine if any of the web shells appear on their servers,” Heid told CyberScoop. “Companies should also take heed that the external perimeter of their enterprise – specifically the web app – is still an effective and powerful vector of attack.”
The leak is reminiscent to the dump of tools allegedly used by the National Security Agency three years ago by a mysterious group dubbed the Shadow Brokers. However, while one of those powerful exploits was repurposed in devastating incidents like the WannaCry ransomware variant, the leaked OilRig tools cannot be reused to the same effect, according to Levene.
“These are no zero days here. This stuff is not going to be super easy to reuse or weaponize,” he said.
Speculation is rife about who is behind the OilRig leak, but threat analysts are starting with what they know and observe to build a profile of the person or group behind the leak.
Adam Meyers, vice president of intelligence at cybersecurity company CrowdStrike, said that the leaker has shown a “moderate technical understanding” of the hacking tools, but also a strong grasp of the context in which the data was dumped. For example, the leaker has an “acute familiarity with cybersecurity researchers focused on Iran, a fluent command of Farsi, and maintains connections to both opposition and state-linked Iranian news outlets and accounts,” Myers told CyberScoop.
“At face value, the persona appears to be an Iranian dissident seeking to expose clandestine government cyber programs,” he said. “However, CrowdStrike Intelligence assesses that it is equally likely to be a counterintelligence effort, or potentially tied to an internal dispute between various entities within Iran’s highly nebulous and competitive cyber operations community.”