Throughout the years, Iranian state-sponsored cyber espionage groups have launched hundreds of cyberattacks across the globe that have caused major damage and data loss. These groups have shown they are capable of staying under the radar until they are ready to make their move. However, advanced persistent threats (APTs), such as Holmium, can stay hidden for years without discovery, all while collecting private information from companies.
The Holmium group cloud attack gained full access to their victims’ networks within a week in 2019, which allowed them the opportunity they needed to steal information and wipe data from oil, gas and heavy machinery manufacturers. Over the years, the Holmium attacks have cost companies millions of dollars in lost productivity and data.
Who is the Holmium group?
The Holmium group is one of the most skilled APTs at using cloud-based attack vectors. Researchers say the Holmium group, specifically, has been active since at least 2015, but their activities started ramping up in 2018, when they launched espionage and destructive attacks on aerospace, defense, chemical, mining and petrochemical-mining industries. The group — which has also been called APT33, StoneDrill and Elfin — has been linked to Iran.
Holmium has used various vectors — such as spear-phishing emails, sometimes carrying archive attachments that exploit the CVE-2018-20250 vulnerability in WinRAR, and password spraying — to gain initial access to systems. Many of their more recent attacks, however, have involved the penetration testing tool Ruler used in combination with compromised Microsoft Exchange credentials.
According to a Digital Guardian Blog article, “While not technically skilled — phishing is often thought of as one of the most unsophisticated attack vectors — the campaign is far-reaching. Companies, mostly unnamed, in Saudi Arabia, Germany, India, Britain, and some parts of the U.S. have been hit as part of the attack.” This widespread strike impacted around 200 companies over two years, one of them being Saipem S.p.A., an Italian oil and gas contractor. Another attack in December 2018 took out data at facilities in the Middle East, Scotland and Italy.
The attack sequence
According to Microsoft, Holmium usually starts with intensive password spray, an attack that attempts to access a large number of usernames with a few commonly used passwords, against exposed Active Directory Federation Services (ADFS) infrastructure. Companies that don’t use multifactor authentication (MFA) for Office 365 accounts have a higher risk of having their accounts compromised through this type of attack strategy. Due to deploying a password spray, Holmium was able to identify some user and password combinations. Holmium used VPN services with IP addresses associated with multiple countries to establish that the accounts they now had access to also had Office 365.
The next step was to use the penetration testing tool Ruler and build a malicious home page URL that resulted in the remote code execution of a PowerShell backdoor through the exploitation of CVE-2017-11774. The two domains used during this campaign were “topaudiobook.net” and “customermgmt.net.” This allowed Holmium to install additional payloads on the endpoint with different persistence mechanisms, such as WMI subscription (T1084) or registry autorun keys (T1060).
Once they had taken control of the endpoint and cloud identity, the threat group was free to explore the victim’s network, looking at user accounts and machines for additional compromise opportunities. According to the same Microsoft report, “Holmium attacks typically took less than a week from initial access via the cloud to obtaining unhampered access and full domain compromise, which then allowed the attackers to stay persistent for long periods of time, sometimes for months on end.” During these attacks, many organizations reacted too late in the attack chain, which made it harder to fully drive the attackers out of their systems. If not done properly, the endpoint could be immediately compromised again, starting the attack anew.
Whether this group goes by Holmium, Elfin or APT33, they have played an active role in the cyber threat landscape for numerous years. Given the sheer amount of attacks they have launched on the same industry sectors, it is clear that they have an agenda. In March of 2019, Symantec reported the activities of cyber espionage group APT33, and since then APT33 has updated its infrastructure. This group has the means to evolve their strategies and infrastructure of attacks and play the long game.
The best response to these kinds of threats is to be prepared for an attack at any time. Two key steps are keeping systems up to date with any of the latest patches in technology and continually educating staff members on what the best practices are to defend a company’s network. To detect hybrid attacks similar to Holmium’s, companies must have visibility of correlating events in multiple domains — cloud, identity and endpoints.