OilRig aka Helix Kitten nation-state group leveraged Microsoft zero-day bug in targeted attacks.

A massive targeted cyber espionage campaign against major Israeli institutions and government officials underscores just how far an Iranian nation-state hacking machine has come.

The Israeli Cyber Defense Authority yesterday announced that it believes Iran was behind the a series of targeted attacks against some 250 individuals between April 19 and 24 in government agencies, high-tech companies, medical organizations, and educational institutions including the renowned Ben-Gurion University. The attackers – whom security experts say are members of the so-called OilRig aka Helix Kitten aka NewsBeef nation-state hacking group in Iran -- used stolen email accounts from Ben-Gurion to send their payload to victims.

"This is the largest and most sophisticated attack they've [OilRig] ever performed," says Michael Gorelik, vice president of R&D for Morphisec, who studied the attacks and confirms that the final stage was thwarted for the most part. "It was a major information-gathering [operation]," he says.

OilRig has been rapidly maturing since it kicked off operations around 2015. The attack campaign against Israeli targets employed the just-patched Microsoft CVE-2017-0199 remote code execution vulnerability in the Windows Object Linking and Embedding (OLE) application programming interface. This flaw had been weaponized in attacks prior to the patch, including Dridex banking Trojan and botnet attacks, and in at least one other cyber espionage campaign.

This technique by OilRig is a step up from the group's previous MO of using malicious macros to spread malware, where it employed Microsoft Excel and Word files that required the victim to enable macros to get infected with malware. But this time around, no macros were necessary: the files contained an exploit via an embedded link packed with an HTML executable, according to researchers at Israeli security firm Morphisec who studied the new attacks.

OilRig managed to catch the victims during the patching window between when Microsoft issues a security update and organizations actually roll out the patch, security experts say. "The most important difference is that the use of macros was exchanged with a vulnerability exploit. With their ability to set up the attack in a relatively short time, the threat actors could correctly speculate that their window of opportunity between patch release and patch rollout was still open," according to Morphisec's blog post today.

The hacking group also was likely behind an attack campaign in January that employed a phony Juniper Networks VPN portal as well as phony websites purporting to be the University of Oxford, from which the attackers dropped malware.

Adam Meyers, vice president of intelligence at CrowdStrike, which has named this Iranian hacker group Helix Kitten, says the group has been advanced for some time. "There's this misconception that they weren't sophisticated before," he says. "This group has been active since 2015 and gone after aviation, energy, financial, and government" targets in various regions and countries, including the United Arab Emirates, Turkey, and Qatar, he says.

OilRig/Helix Kitten was not the first attack group to weaponize the Microsoft CVE-2017-0199 remote code execution vulnerability before it was patched, he notes, pointing to attacks in Ukraine, China, and in the US earlier this year. "It's unusual to see multiple threat actors pick up" a zero-day, he says, which could hint that of an 0day broker selling it to multiple "customers."

Meantime, Morphisec's Gorelik says in the latest round of attacks, OilRig employed a customized version of the open-source Mimikatz tool, which gives hackers access to user credentials in the Windows Local Security Authority Subsystem Service.

OilRig is among the ranks of nation-state gangs using open-source hacking tools. Kurt Baumgartner, principal security researcher for Kaspersky Lab's Global Research and Analysis Team, says OilRig, which Kaspersky calls NewsBeef, in the past year has relied heavily on open-source hacking tools, namely  BeEF for exploiting holes in browsers; Unicorn for PowerShell-type attacks; and on Pupy, for planting a remote administration tool, or RAT. That's a far cry from its earlier days, when it relied on social engineering accounts to target victims. "NewsBeef is not well-resourced, so this enables them to up their game," he says.

Politics 

Most of Iran's targets over the past few months have been in the Middle East – namely its nemesis Saudi Arabia – but this pivot to Israel should be a red flag to other nations embroiled in geopolitical conflict with Iran, such as the US, security experts say.

Tom Kellermann, CEO of Strategic Cyber Ventures, says the attacks indeed illustrate how Iran's nation-state hacking machine has evolved and advanced. He attributes this transformation to Russian advisors assisting Iranian hackers. Look for OilRig to go West soon, too, he says.

"Oilrig will tendril West to the USA due to the Secretary of State and President's visceral statements on Iran over that past month. The Iranians are not alone, as the Russian Pawn Storm [nation-state hacking] campaign will dramatically ratchet up due to tensions with US and NATO per the Baltics and the French election," he says.

Their attacks also may be more destructive, including data-wiping: "To this point these actors will be more inclined to burn the evidence and house … [the] network via destructive counter-IR [incident response] 'integrity attacks,'" which could hamper IR efforts and investigations, he says. "I am concerned that watering-hole attacks will increase, delivering 0days and wiper malware."

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

Related Content:

 

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights