Throwback Attack: Iranian-backed OilRig targets critical infrastructure in the Middle East

Image courtesy: CFE Media and Technology
Courtesy: CFE Media and Technology

Increased connectivity has produced countless benefits for individuals, society and companies, but it has also created an ever-expanding attack surface. One of the most profitable and potentially destructive targets for attack is critical infrastructure, which provides the backbone of national security and underpins the health and well-being of societies. In 2012, a new attack group appeared on the radar, the OilRig cyber espionage group, also known as APT34, Cobalt Gypsy, Europium and Helix Kitten.

Since its emergence, OilRig has been associated with various cyber espionage campaigns, primarily targeting organizations in the Middle East, particularly those in countries such as Saudi Arabia, the United Arab Emirates and Qatar. The group has shown a strong interest in sectors such as energy, telecommunications, financial services and government entities in the region. It has also proven to be one of the most persistent and adaptable threat groups, frequently changing tactics and still leveraging attacks to this day.

What is OilRig?

While the exact timeline and origins of OilRig may not be fully known, security researchers and cybersecurity firms began tracking their activities and attributing attacks to the threat group around 2014, during a wave of destructive attacks in the Middle East.

It’s believed that OilRig is a state-sponsored Iranian group, as its attacks have consistently aligned to Iran’s national interests. Over the years, OilRig has employed a range of attack techniques to compromise its targets. These include spear-phishing emails, social engineering strikes and watering hole attacks. The group has been known to send highly tailored and convincing phishing emails to trick employees into clicking on malicious links or opening infected attachments.

“They have conducted social engineering attacks through legitimate social networks like LinkedIn to deliver documents with fraudulent job offers from prominent organizations,” according to an article on AttackIQ. “They conducted destructive actions using wipers, such as the Disttrack malware family, during the Shamoon attacks. They also used supply chain compromises where the adversary exploited relationships of trust between organizations to reach their desired targets.”

OilRig utilizes custom-built malware and publicly available tools to carry out its operations. The group has been associated with several malware families designed to gain persistence on compromised systems, establish command and control channels and exfiltrate sensitive information. According to The Hacker News, recent attacks in 2021 and 2022 used backdoors such as Karkoff, Shark, Marlin and Saitama for information theft.

While the group has targeted various critical infrastructure sectors, it has shown a particular interest in the oil and gas industry, which is strategically significant due to its economic and geopolitical importance in the region.

It is believed that the primary objective of OilRig is to conduct cyber espionage, gathering intelligence and sensitive information from its targets. The stolen data may include classified documents, intellectual property, financial records and strategic information related to the oil and gas industry.

Though this threat group is likely more than 10 years old, it has demonstrated persistence and adaptability over time. OilRig has continued to evolve its tactics, techniques and procedures (TTPs) to evade detection and maintain access to compromised networks. As recently as February 2023, Trend Micro noted that OilRig is using a new backdoor to exfiltrate data.

Why cyber criminals target critical infrastructure

The critical infrastructure sector has been a target of nation-state actors and transnational groups for years — and for good reason.

Critical infrastructure systems often contain valuable information or provide essential services that cyber criminals can exploit for financial gain or leverage. For example, attacking a power grid or a financial institution within the critical infrastructure sector can result in significant financial rewards through ransom demands, theft of sensitive data or disruption of services that can lead to economic losses.

By targeting critical infrastructure, cyber criminals can cause widespread disruption and chaos. Harming services such as energy, transportation or communication networks can have cascading effects on society, impacting businesses, governments and individuals.

As with OilRig, many cyberattacks on critical infrastructure are driven by political or geopolitical motivations. Nation-states or state-sponsored threat actors target critical infrastructure of other countries as a form of espionage, political coercion or even to gain a strategic advantage during times of conflict. Good examples of this are the 2016  Industroyer attack that shut off power to about 200,000 people in Kiev and the 2010  Stuxnet attack that caused significant damage to Iran’s nuclear program.

Attacking critical infrastructure can also erode public confidence and trust in government institutions, corporations or the infrastructure operators themselves. This can have far-reaching consequences, including undermining societal stability and causing long-term economic damage. When Colonial Pipeline, the largest supplier of fuel to the East Coast, was targeted with ransomware in May 2021, there were fears of a fuel shortage, causing runs on gas stations throughout the southern United States.

Critical infrastructure can be uniquely vulnerable because — like much of operational technology — it runs on complex and interconnected networks as well as a mix of old and new systems. Cyber criminals can exploit these weaknesses, ranging from outdated software and weak security controls to human errors and social engineering techniques, to gain unauthorized access and carry out their malicious activities.

Tips to help protect critical infrastructure

Protecting critical infrastructure from cyberattacks requires a multilayered and proactive approach. Though threat actors are often innovating faster than defenders, there are some key measures that organizations within the critical infrastructure sector can take to enhance their cybersecurity:

  • Risk assessment and planning: Conduct a comprehensive risk assessment to identify vulnerabilities, threats and potential consequences. Develop a cybersecurity plan that outlines preventive measures, incident response procedures and recovery strategies tailored to the specific needs of the organization.
  • Network segmentation: Implement network segmentation to isolate critical systems from less secure areas. This helps contain potential breaches and limit the lateral movement of attackers within the network.
  • Strong access controls: Enforce strong access controls by implementing multifactor authentication (MFA), strong passwords and regular access reviews. Limit privileges to only those required for each user or system, reducing the impact of a compromised account.
  • Patch management: Establish a robust patch management process to ensure systems and software are up to date with the latest security patches.
  • Employee awareness and training: Conduct regular cybersecurity awareness training for employees to educate them about potential threats, phishing attacks, social engineering techniques and best practices for secure behavior. Encourage a culture of cybersecurity awareness throughout the organization.
  • Incident detection and response: Implement intrusion detection and prevention systems (IDS/IPS) to monitor network traffic for suspicious activities. Establish an incident response plan to promptly detect, respond to and recover from cyber incidents effectively.
  • Continuous monitoring: Deploy security monitoring tools and technologies to continuously monitor network and system activity for signs of compromise or anomalies. Employ security information and event management (SIEM) solutions for centralized log management and real-time threat detection.
  • Regular vulnerability assessments: Conduct regular vulnerability assessments to identify weaknesses in systems and applications. This helps identify and address potential entry points for attackers.
  • Partnerships and information sharing: Collaborate with industry peers, government agencies and cybersecurity organizations to share threat intelligence, best practices and emerging threats. Participate in information sharing and analysis centers (ISACs) or sector-specific forums to stay informed about the latest threats.
  • Backup and recovery: Regularly back up critical data and systems, ensuring that backups are stored securely and tested for reliability. Implement disaster recovery plans to restore operations in the event of a cyber incident.
  • Cybersecurity governance: Establish a cybersecurity governance framework with clearly defined roles, responsibilities and accountability. Assign dedicated cybersecurity personnel or teams to manage and oversee cybersecurity efforts within the organization.

These measures, combined with ongoing monitoring, assessment and improvement, can significantly enhance the resilience of critical infrastructure against cyber threats. As OilRig has demonstrated over the years, attackers are always adapting. It is essential to counteradapt and evolve cybersecurity strategies to address emerging threats and stay ahead of evolving attack techniques.

Parts of this article were enhanced using ChatGPT.




Keep your finger on the pulse of top industry news