Group: OilRig, CHRYSENE, ...
Jump to navigation
Jump to search
| OilRig, CHRYSENE, ... | |
|---|---|
| Group | |
| ID | G0010 |
| Associated Groups | OilRig, CHRYSENE, Greenbug, APT 34 |
| External Contributors | Dragos Threat Intelligence |
OilRig is a suspected Iranian threat group that has targeted the financial, government, energy, chemical, and telecommunication sectors as well as petrochemical, oil & gas.123 OilRig has been observed operating in Iraq, Pakistan, Israel, and the UK, and has been linked to the Shamoon attacks in 2012 on Saudi Aramco.
Associated Group Descriptions
Techniques Used
- Spearphishing Attachment - OilRig used spearphishing emails with malicious Microsoft Excel spreadsheet attachments.5
- Scripting - OilRig has embedded a macro within spearphishing attachments that has been made up of both a VBScript and a PowerShell script.5
- Standard Application Layer Protocol - OilRig communicated with its command and control using HTTP requests.5
- Drive-by Compromise - OilRig has been seen utilizing watering hole attacks to collect credentials which could be used to gain access into ICS networks.6
- Valid Accounts - OilRig utilized stolen credentials to gain access to victim machines.3
References
- a b N.A. (n.d.). Advanced Persistent Threat Group 34. Retrieved October 31, 2019.
- ^ Manish Sardiwal et al.. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved October 31, 2019.
- a b c d Dragos. (n.d.). Chrysene. Retrieved October 27, 2019.
- ^ Bryan Lee, Robert Falcone. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved October 31, 2019.
- a b c Robert Falcone, Bryan Lee. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved November 19, 2019.
- ^ Eduard Kovacs. (2018, May 21). Group linked to Shamoon attacks targeting ICS networks in Middle East and UK. Retrieved January 3, 2020.
