Infamous OilRig Advanced Persistent Threat (APT) group that has been active in the Middle East and Turkiye for over a decade. The OilRig APT is known for targeting high-profile government entities across the Middle East, Turkiye and Africa for cyberespionage purposes.
During the annual Cyber Security Weekend 2023 for the Middle East, Turkiye and Africa, recently held in Almaty, Kazakhstan, Kaspersky researchers announced the discovery of a series of attacks by a new malware supposedly developed by the OilRig APT group.
The OilRig APT commonly uses social engineering tactics, exploits software and technical vulnerabilities within its victims.
However, experts noticed the OilRig APT group has updated their arsenal, resorting to persistent, stealthier ways of infiltrating their targets through third-party IT companies.
OilRig APT Investigation
During an ongoing investigation that started in late 2022, experts discovered that the OilRig APT group has executed PowerShell scripts to gain access to terminal servers at IT companies in the region to collect credentials and sensitive data about their targets.
The group used the stolen information to infiltrate their targets and deploy malware samples that relied on Microsoft Exchange Web Services to perform Command & Control (C2) communications, and steal data.
The investigated malware appeared to be a variant of an older malware used by the threat actor.
To ensure persistent stealthy access, the OilRig APT group deployed a new DLL-based password filter, which enabled them to intercept local/domain password changes.
This allowed the attackers to receive updated passwords along with other stolen and sensitive data sent from their targets’ email services to attacker-controlled Protonmail and Gmail addresses.
“OilRig has taken the meaning of “stealth mode” to the next level with its complex and heavily modified tactics, techniques, and procedures to exploit third-party IT companies,” Maher Yamout, Senior Security Researcher at Kaspersky said.
It is evident from our investigation that third-party attacks are stealthier, agile and remain undetected in comparison to other tactics, posing a grave risk to the functioning of government entities in this region.
The radical shift to infiltrate IT companies that are part of a supply chain is an indication that regional government entities are stepping up their cybersecurity game, driving APT groups to think out of the box.
The researchers recommend governments and businesses follow the below tips and protect themselves from falling victim to third-party supply chain attacks:
- Invest and build a holistic, well-integrated cybersecurity approach that protects data and assets beyond the parameters of your organization.
- Leveraging Threat Intelligence is key. Using solutions like the Threat Intelligence Portal can equip IT teams with real-time data and insights and provide access to a rich source of expertise to build a strong defense.
- Conduct a penetration test within your organization and don’t leave out your third-party service providers.
- Your cyber defense is as strong as your employees, who are considered the first line of defense. Arm them with the right knowledge through solutions like the Automated Security Awareness Platform that automates cyber-awareness training for companies of any size.
Backup your data regularly and scan it from time to time to maintain integrity.