Iran-Linked OilRig Targets Middle East Governments in 8-Month Cyber Campaign

Cyber Security Threat Summary:
The OilRig threat group, connected to Iran, conducted an eight-month-long cyber campaign against an unspecified Middle Eastern government from February to September 2023. This operation resulted in the theft of files and passwords, and at one point, they used a PowerShell backdoor called PowerExchange. The Symantec Threat Hunter Team refers to this operation as "Crambus." The attackers used the PowerExchange implant to monitor emails from an Exchange Server, execute commands, and send the results to themselves. They compromised at least 12 computers and installed backdoors and keyloggers on an additional dozen machines, indicating a significant breach.

In May 2023, Fortinet FortiGuard Labs brought attention to the use of PowerExchange in an attack chain directed at a government entity linked to the United Arab Emirates. This implant, once it logs into a Microsoft Exchange Server with predefined credentials, can monitor incoming emails in compromised mailboxes, allowing the threat actor to execute various payloads and transfer files to and from the compromised host.

Security Officer Comments:
Crambus is a seasoned espionage group with a strong track record in conducting lengthy campaigns focused on Iranian interests. Following a toolset leak in 2019, there were concerns about Crambus fading away. Nevertheless, its actions in the last two years clearly show that it remains an ongoing threat to organizations in the Middle East and beyond.

Suggested Correction(s):

  • Organizations can make APT groups’ lives more difficult. Here’s how:
  • Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
  • Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
  • Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
  • Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operation