The prolific advanced persistent threat (APT), also referred to as OilRig, was discovered engaging in cyber espionage against government clients of an IT firm in the region. This time, the Iran-linked APT34 has been detected orchestrating a supply chain attack with the primary objective of infiltrating government targets within the United Arab Emirates (UAE).
OilRig is an Iranian-linked Advanced Persistent Threat (APT) group, which also goes by the names of Cobalt Gypsy, Twisted Kitten and Crambus. The group was identified in 2015 and is believed to be linked to the Iranian Intelligence agency and the Islamic Revolutionary Guard Corps (IRGC). At first, the group was perceived as immature and not highly sophisticated, but it has rapidly evolved and is now recognized as a sophisticated and dangerous Iranian Cyber APT that operating primarily in the Middle East.
A supply chain attack refers to when someone uses an outside provider or partner that has access to your data and systems to infiltrate your digital infrastructure. Because the outside party has been granted the rights to use and manipulate areas of your network, your applications, or sensitive data, the attacker only has to either penetrate the third party’s defenses or program a loophole into a solution offered by a vendor to infiltrate your system.
According to Maher Yamout, the lead security researcher at Kaspersky’s EEMEA Research Center, the attackers employed a deceptive tactic involving a malicious recruitment form for IT jobs. APT34, also known as OilRig, set up a counterfeit website posing as a UAE-based IT company. They then dispatched the fraudulent job application form to a targeted IT company. When the recipient opened the malicious document, seemingly intending to apply for the advertised IT position, it triggered the execution of malware designed to steal information.
Yamout explains that the malware gathered sensitive data and credentials, enabling APT34 to breach the networks of the IT company’s clients. He elaborates that the attacker then focused on government clients, utilizing the compromised IT group’s email infrastructure for both command-and-control (C2) communication and the extraction of data. Kaspersky couldn’t conclusively verify the success of the government-targeted attacks due to limited downstream visibility. However, Yamout asserts that there is a “medium-high confidence” assessment of their success, based on the group’s established track record of achievement.
Kaspersky’s research reveals that the malware samples employed in the UAE campaign bore striking resemblance to those used in a previous APT34 supply chain breach in Jordan. The tactics, techniques, and procedures (TTPs) were similar, involving government entities as targets. In that particular case, Yamout suspected that LinkedIn had been exploited as a delivery method, using a fabricated job application form to impersonate an IT company’s recruitment initiative.
We would make two recommendations to avoid similar incidents:
First, Vendor Due Diligence (VDD): Thoroughly vet and assess the cybersecurity practices of third-party vendors and partners before granting them access to your systems and data. Ensure that they have robust security measures in place to prevent unauthorized access and potential exploitation.
The second one is about employee training and awareness raising: Conduct cybersecurity training and awareness programs for employees to educate them about phishing tactics and social engineering attempts. Teach them to be cautious when interacting with emails, attachments, and links from unknown or suspicious sources.
Sources:
https://attack.mitre.org/groups/G0049/
https://www.darkreading.com/dr-global/iran-apt34-uae-supply-chain-attack
https://securelist.com/apt-trends-report-q2-2023/110231/
https://www.darkreading.com/edge/job-seekers-look-out-for-job-scams
Author:
Ákos Sipos (UPS Student)