Final Project for the Cybersecurity for Everyone Course- Oilrig.pptx
1. Final Project for the
Cybersecurity for Everyone
Course: Oilrig
By: Mustofa Abdulhafiz Ahmed
2. Hackers are not all the same; they range in skill, resources, and capability and often
go by different names. How would you classify this threat actor? Do they go by any
aliases? Where are they from? How would you rate the skill level and resources
available to this threat actor?
OilRig has been classed as an Advanced Persistent Threat due to the multiple attacks it has
undertaken, each of which has varied in efficacy (APT). The Iranian government is behind OilRig.
Cobalt Gypsy is one of their other identities, while others include IRN2, Helix Kitten, Twisted Kitten,
and APT34.
According to a Forbes article from the Israeli IT business ClearSky, OilRig's roots may be traced back
to Iran, and the Counter Threat Unit of the cyber intelligence company SecureWorks is positive that
the group is tied to the Iranian government. They've had success in the Middle East while doing the
majority of their business elsewhere. OilRig targets businesses outside of Iran, whereas the vast
majority of Iranian threat actors target government institutions and opposition figures.
OilRig is confident in its ability to carry out any activity that is expected to benefit Iran because it
works with or for the (Islamic Republic of) Iran. Similarly to the Mabna Institute incident, the Islamic
Revolutionary Guard Corps enlisted an Iranian institution (Mabna Institute) to carry out a massive
spear phishing campaign, resulting in the loss of 31.5 gigabytes of academic data and 3.4 billion
dollars in intellectual property (IP).
3. Hackers are motivated to act for specific reasons. What are the motivations of your
threat actor? What is the specific geo-political context they are operating in and what
insight does that give you for why they are operating in this manner?
OilRig espionage, according to the Council on Foreign Relations, targets private-sector and
government organizations. According to Merriam-Webster, espionage is the action of spying or
utilizing spies to obtain information about a foreign government's or a competing enterprise's goals
and operations. The Cambridge Economic English Dictionary defines it as "the act of secretly
obtaining and reporting information, particularly covert political, military, business, or industrial
intelligence."
According to the Middle East Institute (MEI), "many countries stopped doing business with Iran as a
result of the Iranian Revolution of 1979, and so stealing academic and corporate information from
around the world allows it to renew infrastructure and build technologies that it simply cannot
purchase abroad, ranging from weaponry to airplane parachute."" Because Iran is subject to
economic sanctions, they rely on what many refer to as "soft war" (less regulated and low-level
combat for lengthy periods of time) in cyberspace with public and commercial sectors of adversary
nations as their objective. MEI also anticipated that Iran-linked organisations will focus on two cyber
activities in the medium and long term: international election meddling and widespread intellectual
property theft (IP).
4. OilRig Attack Case Studies: The Hacking Process Tactics on Their Targets
and the Primary, Secondary, and Second Order Effects
• Attack 1: An attack on an oil rig utilizing AI Squared software.
• Attack 2: An Oilrig assault masquerading as Oxford University
• Attack 3-Attack on Al Elm and Samba Financial Group by OilRig
• Attack 4-Attack on Job Seekers by Oil Rigs
• Attack 5-Attack on Israeli IT providers by OilRig
5. Attack 1-AI Squared software is used in an oil rig attack
• AI Squared, a tiny, mission-driven tech business based in Vermont, developed software to aid
visually impaired internet users. According to Forbes, security firm Symantec told AI Squared that
certifications for technology used to authenticate its authenticity had been compromised,
implying that a threat actor (OilRig) obtained AI Squared's signing key and certificates and used
them to hide their own malware.
• The plan was to use the visually impaired software as a surveillance tool while seeming genuine
to security systems in the Middle East, Europe, and the United States. When the digital certificate
required to certify newer ZoomText and Window-Eyes software products was compromised, their
certification was cancelled, according to a notice on the AI Squared website in 2017.
6. Attack 1
• Reconnaissance: The AI Squared tech business, according to OilRig, has software that will allow the gang to
quickly locate its victims in the Middle East, Europe, and the United States, where they have a large number
of targets.
• Weaponization: Oilrig is said to have gotten AI Square's signing key and certificate and is using it to construct
their own malware. The majority of individuals have considered adopting AI Square's (previously hacked)
software to assist the visually handicapped in accessing the internet.
• Installation and Exploitation: To guarantee that the program works properly, users must install and test it on
their PCs.
• Command and Control: By installing the program (malware) unknowingly, victims give the OilRig gang with
information that may be exploited to gain access to bigger networks.
• OilRig has infected blind software with malware for espionage purposes. The fundamental result is that the
end host gets exploited.
• As a result, the following income, reputation, and macroeconomic effects have occurred: Sales would be
lower than predicted since Oilrig's spying spyware tainted the application. Customers would then utilize
reputation to locate new software that provides the same sort of service. Macroeconomics: If the program
becomes polluted, the personnel working on it may change.
• Second Order Information/Perception Effect: Anyone with access to the programmer could get the
impression that the business is just a cover for spying.
7. Attack 2 - Attack by OilRig posing as Oxford University
• In November 2016, the OilRig group registered two phoney Oxford University pages, according to
ClearSky. The first is a website for registering for conferences, while the second claims to offer
employment within the company.
• On both pages, there was a download button that visitors could use. The fictional event's
registration form is in one file, and an Oxford University CV builder is in the other. After clicking,
victims unknowingly give data to Helminth, the malware that OilRig uses to hijack the PC and steal
data, without even realising it.
8. Attack 2
• Reconnaissance - OilRig created bogus Oxford University websites to attack multiple targets at once.
• Weaponization - Two fictitious Oxford University websites were made by OilRig, one of which appeared to be
a job board and the other to be a place to sign up for conferences.
• Delivery - People who are interested in working for Oxford or attending a conference that Oxford is hosting
are sure to adhere to the fictitious page requirements.
• Installation and Exploitation - The victims, once on the fake website/s are encouraged to fill-up what seem to
be a normal registration form and download files that are infected by OilRig’s surveillance malware.
• Control & Command - OilRig now has access to the computers with Helminth malware infections and has
gathered the basic information of their victims because people registered and downloaded files from the
bogus websites.
• Initial Impact - Utilization of the End Host: OilRig considered gathering personal data through the fictitious
Oxford website they developed.
• Secondary Impact on Credibility: Oxford University's reputation will undoubtedly suffer as a result of the fake
website's use of their name and other identifiers.
• Second-order effects on perception and information: Everyone who provided personal information and
registered on the fictitious Oxford websites would now choose different universities to be affiliated with,
which is a regrettable development.
9. Attack 3 - Attack by the OilRig on Samba Financial Group and Al Elm
• According to a 2017 Forbes article, the group started conducting phishing attacks in May 2016
from servers owned by Saudi Arabian contractor and IT security Al-Elm. The email was inserted
into a discussion between Saudi Arabian lender Samba Financial Group and Al-Elm. The email had
an Excel attachment called "notes.xls," which when opened by the recipient would launch a
Helminth surveillance kit from OilRig.
• In the case of Al-Elm, analysis of the phishing emails' headers revealed that they originated from
within the sender's company and that "the threat actor previously compromised those
organisations," according to SecureWorks intelligence analyst Allison Wikoff.
10. Attack 3
• Reconnaissance - Here, the Samba Financial Group is highlighted, which reported a profit of $290 million for
the most recent quarter of the previous year.
• Weaponization -The OilRig group decided to use Al-"previously Elm's compromised" network to
communicate with Samba Financial Group.
• Delivery - Al-Elm and Samba Financial Group exchanged emails, and one of them contained the OilRig's
Helminth spying programme.
• Installation and Exploitation: After the email has been sent, anyone who opens the "notes.xls" excel
attachment will have the Helminth surveillance kit installed on their computer.
• Control & Command - After opening the email, everything might appear to be in order, but OilRig has
installed the surveillance kit, giving them access to that computer and perhaps the company's network.
• Initial Impact - Use of the End Host: OilRig sent emails containing Helminth surveillance kits to Al-Elm
Security and Samba Financial Group through phishing attacks.
• Secondary effects on reputational damage and remediation Remediation: Depending on how badly it was
affected, the infected devices from both ends would now be scanned, cleaned, and possibly replaced.
Reputation: Threat actors should be prevented from interfering with IT security companies' client
relationships, which will have an impact on those companies' reputations.
• Second-order effects on perception and information: Due to the phishing emails sent, both businesses will
now proceed with great caution when creating new business alliances.
11. Attack 4 - Attack by oil rig on job seekers
• The cyber intelligence firm SecureWorks, which refers to the OilRig crew as Cobalt Gypsy, asserts
in the same report from the earlier incident that the group has been sending emails containing
malware from legitimate email addresses belonging to two Egyptian and one of the biggest IT
service providers in Saudi Arabia, the National Technology Group, and the National Technology
Group.
• These email addresses were used to send emails to an unnamed Middle Eastern organization with
links to job offers. The attachments contained PupyRAT, an open-source remote access trojan
(RAT) that works on Android, Linux, and Windows platforms.
12. Attack 4
• Reconnaissance - The OilRig intended to attack an unnamed entity, but they decided to go after the Middle
East instead.
• Weaponization - OilRig Group decided to send a malicious email using National Technology Group, a Saudi
Arabian IT supplier, and ITWorx, an Egyptian IT service provider.
• Delivery - OilRig sent their victims alluring job offers via email accounts owned by IT firms.
• Installation and Exploitation – When recipients clicked on the email's link attachment, an opensource remote
access trojan was waiting for them.
• Control & Command - After the link has been clicked, the malware will start to gather login information from
the user and the computer.
• Initial Impact - Use of the End Host: OilRig sent emails to a range of targets that were infected with an open-
source remote access trojan and contained links to job offers from reputable IT companies.
• Reputational consequences as a byproduct: - Candidates should think twice before accepting a position with
an IT company, even though the job offers might be legitimate now that they can track the PupyRAT's origin
and link it to their own devices.
• Effect of second order on information and perception: The companies run the risk of developing a negative
reputation for monitoring both past and present customers.
13. Attack 5 - Attack by the OilRig on Israeli IT vendors
• The research team at ClearSky claims that OilRig used a compromised account to send emails to a
number of targeted Israeli IT vendors.
• The victim is asked to install a genuine Juniper VPN programme after entering their login
information, and this programme has been bundled with Helminth, malware that the group
frequently employs for surveillance.
• It is a simple email asking for assistance with details regarding the fictitious customer.
14. Attack 5
• Reconnaissance - The OilRig believes that because Israel is their intended target, attacking IT vendors will
assist them in breaking into crucial networks.
• Weaponization -It's a given that OilRig already has access to hacked user accounts from different Israeli IT
vendors.
• Delivery - In an email to the vendors, the group poses as a real customer and requests assistance.
• Installation and Exploitation - The victim is then prompted to download a Juniper VPN in order to continue
when they attempt to access the user's account using the provided credentials. They include their
trustworthy Juniper VPN along with the spying malware Helminth.
• Control & Command - OilRig would then have access to the device and many other client/customer emails
that utilise their services after a successful installation.
• Initial Impact - Utilization of the End Host: OilRig disguised themselves as customers who needed help
because they were interested in breaking into Israeli networks.
• Secondary Impact on Cleanup: Remediation - Some employees of the company may have carried out the
threat actor's instructions because it is their responsibility to maintain customer satisfaction. As a result,
businesses may need to inspect, maintain, or upgrade their equipment.
• Effect of second order on information and perception: People who use the VPN may be concerned that their
devices have the surveillance malware Helminth because it is connected to a legitimate Juniper VPN.
15. Not all hackers represent a strategic problem for policy makers. How would you
characterize your threat actor, are they chiefly a private problem for businesses or a
public concern for policy makers? How should policy makers respond?
• The range of OilRig's targets makes them an Advanced Persistent Threat (APT). Their primary
activity is espionage; instead of erasing or altering anything they gain access to, they simply sit
back and relax while their Helminth malware completes its work. They have used compromised
email to obtain stolen information for the majority of their espionage operations. Targeting
private industries is something OilRig is interested in doing, and they use mostly subtle methods
like phishing. They pose a clear threat to businesses, but because these organisations have
connections with both private and public institutions, one email could give them access to a
powerful corporation or government office, making them both a private issue and a public one.
They pose a clear threat to businesses, but because these organisations are connected to both
private and public institutions, one email could give them access to a powerful corporation or
government office, making them a problem for both individuals and the general public. The best
course of action would be to impose more economic sanctions since OilRig has been identified as
an Iranian threat actor.
16. Not all hackers represent a strategic problem for policy makers. How would you
characterize your threat actor, are they chiefly a private problem for businesses or a
public concern for policy makers? How should policy makers respond?
• The amount of pressure that one nation could exert on Iran to make good on any harm caused by
cyber espionage was limited. It is feasible, but it could take a very long time, and once any secrets
are compromised, they cannot be replaced. If Iran agrees or if other nations share their concerns,
policymakers could work together to craft treaties that would penalise and deter threat actors
from coming from Iran. There should be clear punishments for any cyber-related activities, such
as espionage, coming from any group that could be traced back to or is supported by Iran, rather
than financial incentives, if a group of nations wants to rewrite the Iran Nuclear Deal in the
future.