SlideShare a Scribd company logo

Final Project for the Cybersecurity for Everyone Course- Oilrig.pptx

Download as PPTX, PDF
A
AbdulhafizAhmed3

Final Project for the Cybersecurity for Everyone Course- Oilrig.pptx

Technology
1 of 17
Final Project for the Cybersecurity for Everyone Course: Oilrig By: Mustofa Abdulhafiz Ahmed
Hackers are not all the same; they range in skill, resources, and capability and often go by different names. How would you classify this threat actor? Do they go by any aliases? Where are they from? How would you rate the skill level and resources available to this threat actor? OilRig has been classed as an Advanced Persistent Threat due to the multiple attacks it has undertaken, each of which has varied in efficacy (APT). The Iranian government is behind OilRig. Cobalt Gypsy is one of their other identities, while others include IRN2, Helix Kitten, Twisted Kitten, and APT34. According to a Forbes article from the Israeli IT business ClearSky, OilRig's roots may be traced back to Iran, and the Counter Threat Unit of the cyber intelligence company SecureWorks is positive that the group is tied to the Iranian government. They've had success in the Middle East while doing the majority of their business elsewhere. OilRig targets businesses outside of Iran, whereas the vast majority of Iranian threat actors target government institutions and opposition figures. OilRig is confident in its ability to carry out any activity that is expected to benefit Iran because it works with or for the (Islamic Republic of) Iran. Similarly to the Mabna Institute incident, the Islamic Revolutionary Guard Corps enlisted an Iranian institution (Mabna Institute) to carry out a massive spear phishing campaign, resulting in the loss of 31.5 gigabytes of academic data and 3.4 billion dollars in intellectual property (IP).
Hackers are motivated to act for specific reasons. What are the motivations of your threat actor? What is the specific geo-political context they are operating in and what insight does that give you for why they are operating in this manner? OilRig espionage, according to the Council on Foreign Relations, targets private-sector and government organizations. According to Merriam-Webster, espionage is the action of spying or utilizing spies to obtain information about a foreign government's or a competing enterprise's goals and operations. The Cambridge Economic English Dictionary defines it as "the act of secretly obtaining and reporting information, particularly covert political, military, business, or industrial intelligence." According to the Middle East Institute (MEI), "many countries stopped doing business with Iran as a result of the Iranian Revolution of 1979, and so stealing academic and corporate information from around the world allows it to renew infrastructure and build technologies that it simply cannot purchase abroad, ranging from weaponry to airplane parachute."" Because Iran is subject to economic sanctions, they rely on what many refer to as "soft war" (less regulated and low-level combat for lengthy periods of time) in cyberspace with public and commercial sectors of adversary nations as their objective. MEI also anticipated that Iran-linked organisations will focus on two cyber activities in the medium and long term: international election meddling and widespread intellectual property theft (IP).
OilRig Attack Case Studies: The Hacking Process Tactics on Their Targets and the Primary, Secondary, and Second Order Effects • Attack 1: An attack on an oil rig utilizing AI Squared software. • Attack 2: An Oilrig assault masquerading as Oxford University • Attack 3-Attack on Al Elm and Samba Financial Group by OilRig • Attack 4-Attack on Job Seekers by Oil Rigs • Attack 5-Attack on Israeli IT providers by OilRig
Attack 1-AI Squared software is used in an oil rig attack • AI Squared, a tiny, mission-driven tech business based in Vermont, developed software to aid visually impaired internet users. According to Forbes, security firm Symantec told AI Squared that certifications for technology used to authenticate its authenticity had been compromised, implying that a threat actor (OilRig) obtained AI Squared's signing key and certificates and used them to hide their own malware. • The plan was to use the visually impaired software as a surveillance tool while seeming genuine to security systems in the Middle East, Europe, and the United States. When the digital certificate required to certify newer ZoomText and Window-Eyes software products was compromised, their certification was cancelled, according to a notice on the AI Squared website in 2017.
Attack 1 • Reconnaissance: The AI Squared tech business, according to OilRig, has software that will allow the gang to quickly locate its victims in the Middle East, Europe, and the United States, where they have a large number of targets. • Weaponization: Oilrig is said to have gotten AI Square's signing key and certificate and is using it to construct their own malware. The majority of individuals have considered adopting AI Square's (previously hacked) software to assist the visually handicapped in accessing the internet. • Installation and Exploitation: To guarantee that the program works properly, users must install and test it on their PCs. • Command and Control: By installing the program (malware) unknowingly, victims give the OilRig gang with information that may be exploited to gain access to bigger networks. • OilRig has infected blind software with malware for espionage purposes. The fundamental result is that the end host gets exploited. • As a result, the following income, reputation, and macroeconomic effects have occurred: Sales would be lower than predicted since Oilrig's spying spyware tainted the application. Customers would then utilize reputation to locate new software that provides the same sort of service. Macroeconomics: If the program becomes polluted, the personnel working on it may change. • Second Order Information/Perception Effect: Anyone with access to the programmer could get the impression that the business is just a cover for spying.
Attack 2 - Attack by OilRig posing as Oxford University • In November 2016, the OilRig group registered two phoney Oxford University pages, according to ClearSky. The first is a website for registering for conferences, while the second claims to offer employment within the company. • On both pages, there was a download button that visitors could use. The fictional event's registration form is in one file, and an Oxford University CV builder is in the other. After clicking, victims unknowingly give data to Helminth, the malware that OilRig uses to hijack the PC and steal data, without even realising it.
Attack 2 • Reconnaissance - OilRig created bogus Oxford University websites to attack multiple targets at once. • Weaponization - Two fictitious Oxford University websites were made by OilRig, one of which appeared to be a job board and the other to be a place to sign up for conferences. • Delivery - People who are interested in working for Oxford or attending a conference that Oxford is hosting are sure to adhere to the fictitious page requirements. • Installation and Exploitation - The victims, once on the fake website/s are encouraged to fill-up what seem to be a normal registration form and download files that are infected by OilRig’s surveillance malware. • Control & Command - OilRig now has access to the computers with Helminth malware infections and has gathered the basic information of their victims because people registered and downloaded files from the bogus websites. • Initial Impact - Utilization of the End Host: OilRig considered gathering personal data through the fictitious Oxford website they developed. • Secondary Impact on Credibility: Oxford University's reputation will undoubtedly suffer as a result of the fake website's use of their name and other identifiers. • Second-order effects on perception and information: Everyone who provided personal information and registered on the fictitious Oxford websites would now choose different universities to be affiliated with, which is a regrettable development.
Attack 3 - Attack by the OilRig on Samba Financial Group and Al Elm • According to a 2017 Forbes article, the group started conducting phishing attacks in May 2016 from servers owned by Saudi Arabian contractor and IT security Al-Elm. The email was inserted into a discussion between Saudi Arabian lender Samba Financial Group and Al-Elm. The email had an Excel attachment called "notes.xls," which when opened by the recipient would launch a Helminth surveillance kit from OilRig. • In the case of Al-Elm, analysis of the phishing emails' headers revealed that they originated from within the sender's company and that "the threat actor previously compromised those organisations," according to SecureWorks intelligence analyst Allison Wikoff.
Attack 3 • Reconnaissance - Here, the Samba Financial Group is highlighted, which reported a profit of $290 million for the most recent quarter of the previous year. • Weaponization -The OilRig group decided to use Al-"previously Elm's compromised" network to communicate with Samba Financial Group. • Delivery - Al-Elm and Samba Financial Group exchanged emails, and one of them contained the OilRig's Helminth spying programme. • Installation and Exploitation: After the email has been sent, anyone who opens the "notes.xls" excel attachment will have the Helminth surveillance kit installed on their computer. • Control & Command - After opening the email, everything might appear to be in order, but OilRig has installed the surveillance kit, giving them access to that computer and perhaps the company's network. • Initial Impact - Use of the End Host: OilRig sent emails containing Helminth surveillance kits to Al-Elm Security and Samba Financial Group through phishing attacks. • Secondary effects on reputational damage and remediation Remediation: Depending on how badly it was affected, the infected devices from both ends would now be scanned, cleaned, and possibly replaced. Reputation: Threat actors should be prevented from interfering with IT security companies' client relationships, which will have an impact on those companies' reputations. • Second-order effects on perception and information: Due to the phishing emails sent, both businesses will now proceed with great caution when creating new business alliances.
Attack 4 - Attack by oil rig on job seekers • The cyber intelligence firm SecureWorks, which refers to the OilRig crew as Cobalt Gypsy, asserts in the same report from the earlier incident that the group has been sending emails containing malware from legitimate email addresses belonging to two Egyptian and one of the biggest IT service providers in Saudi Arabia, the National Technology Group, and the National Technology Group. • These email addresses were used to send emails to an unnamed Middle Eastern organization with links to job offers. The attachments contained PupyRAT, an open-source remote access trojan (RAT) that works on Android, Linux, and Windows platforms.
Attack 4 • Reconnaissance - The OilRig intended to attack an unnamed entity, but they decided to go after the Middle East instead. • Weaponization - OilRig Group decided to send a malicious email using National Technology Group, a Saudi Arabian IT supplier, and ITWorx, an Egyptian IT service provider. • Delivery - OilRig sent their victims alluring job offers via email accounts owned by IT firms. • Installation and Exploitation – When recipients clicked on the email's link attachment, an opensource remote access trojan was waiting for them. • Control & Command - After the link has been clicked, the malware will start to gather login information from the user and the computer. • Initial Impact - Use of the End Host: OilRig sent emails to a range of targets that were infected with an open- source remote access trojan and contained links to job offers from reputable IT companies. • Reputational consequences as a byproduct: - Candidates should think twice before accepting a position with an IT company, even though the job offers might be legitimate now that they can track the PupyRAT's origin and link it to their own devices. • Effect of second order on information and perception: The companies run the risk of developing a negative reputation for monitoring both past and present customers.
Attack 5 - Attack by the OilRig on Israeli IT vendors • The research team at ClearSky claims that OilRig used a compromised account to send emails to a number of targeted Israeli IT vendors. • The victim is asked to install a genuine Juniper VPN programme after entering their login information, and this programme has been bundled with Helminth, malware that the group frequently employs for surveillance. • It is a simple email asking for assistance with details regarding the fictitious customer.
Attack 5 • Reconnaissance - The OilRig believes that because Israel is their intended target, attacking IT vendors will assist them in breaking into crucial networks. • Weaponization -It's a given that OilRig already has access to hacked user accounts from different Israeli IT vendors. • Delivery - In an email to the vendors, the group poses as a real customer and requests assistance. • Installation and Exploitation - The victim is then prompted to download a Juniper VPN in order to continue when they attempt to access the user's account using the provided credentials. They include their trustworthy Juniper VPN along with the spying malware Helminth. • Control & Command - OilRig would then have access to the device and many other client/customer emails that utilise their services after a successful installation. • Initial Impact - Utilization of the End Host: OilRig disguised themselves as customers who needed help because they were interested in breaking into Israeli networks. • Secondary Impact on Cleanup: Remediation - Some employees of the company may have carried out the threat actor's instructions because it is their responsibility to maintain customer satisfaction. As a result, businesses may need to inspect, maintain, or upgrade their equipment. • Effect of second order on information and perception: People who use the VPN may be concerned that their devices have the surveillance malware Helminth because it is connected to a legitimate Juniper VPN.
Not all hackers represent a strategic problem for policy makers. How would you characterize your threat actor, are they chiefly a private problem for businesses or a public concern for policy makers? How should policy makers respond? • The range of OilRig's targets makes them an Advanced Persistent Threat (APT). Their primary activity is espionage; instead of erasing or altering anything they gain access to, they simply sit back and relax while their Helminth malware completes its work. They have used compromised email to obtain stolen information for the majority of their espionage operations. Targeting private industries is something OilRig is interested in doing, and they use mostly subtle methods like phishing. They pose a clear threat to businesses, but because these organisations have connections with both private and public institutions, one email could give them access to a powerful corporation or government office, making them both a private issue and a public one. They pose a clear threat to businesses, but because these organisations are connected to both private and public institutions, one email could give them access to a powerful corporation or government office, making them a problem for both individuals and the general public. The best course of action would be to impose more economic sanctions since OilRig has been identified as an Iranian threat actor.
Not all hackers represent a strategic problem for policy makers. How would you characterize your threat actor, are they chiefly a private problem for businesses or a public concern for policy makers? How should policy makers respond? • The amount of pressure that one nation could exert on Iran to make good on any harm caused by cyber espionage was limited. It is feasible, but it could take a very long time, and once any secrets are compromised, they cannot be replaced. If Iran agrees or if other nations share their concerns, policymakers could work together to craft treaties that would penalise and deter threat actors from coming from Iran. There should be clear punishments for any cyber-related activities, such as espionage, coming from any group that could be traced back to or is supported by Iran, rather than financial incentives, if a group of nations wants to rewrite the Iran Nuclear Deal in the future.
Reference • https://www.forbes.com/sites/thomasbrewster/2017/02/15/oilrig-iran-hackers-cyberespionage-us-turkey- saudi-arabia/?sh=4c88925f468a • https://www.merriam-webster.com/dictionary/espionage • https://microsites-live-backend.cfr.org/interactive/cyber-operations/oilrig • https://www.cfr.org/backgrounder/what-iran-nuclear-deal • https://www.mei.edu/publications/irans-cyber-future • https://www.justice.gov/opa/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf- islamic-revolutionaryhttps://www.clearskysec.com/oilrig/ • https://attack.mitre.org/groups/G0049/ • https://dictionary.cambridge.org/us/dictionary/english/espionage

Recommended

Cybersecurity for Everyone Course. Final Project OilRig.pdf
Cybersecurity for Everyone Course. Final Project OilRig.pdfCybersecurity for Everyone Course. Final Project OilRig.pdf
Cybersecurity for Everyone Course. Final Project OilRig.pdfHamzaAfzal61
 
Final Assignment.pptx
Final Assignment.pptxFinal Assignment.pptx
Final Assignment.pptxHariNathaReddy14
 
Cybersecurity.pptx
Cybersecurity.pptxCybersecurity.pptx
Cybersecurity.pptxFwem
 
Course Final Project on OceanLotus by Lino Lazarous Marino Ija
Course Final Project on OceanLotus by Lino Lazarous Marino IjaCourse Final Project on OceanLotus by Lino Lazarous Marino Ija
Course Final Project on OceanLotus by Lino Lazarous Marino IjaRight Tech Centre
 
Threat Actors - Vietnam (OceansLotus).pptx
Threat Actors - Vietnam (OceansLotus).pptxThreat Actors - Vietnam (OceansLotus).pptx
Threat Actors - Vietnam (OceansLotus).pptxMALCOMNORONHA1
 
History and future cybercrime
History and future cybercrimeHistory and future cybercrime
History and future cybercrimeOnline
 
Stuxnet
StuxnetStuxnet
StuxnetShishir Aryal
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 

Recommended

Cybersecurity for Everyone Course. Final Project OilRig.pdf
Cybersecurity for Everyone Course. Final Project OilRig.pdfCybersecurity for Everyone Course. Final Project OilRig.pdf
Cybersecurity for Everyone Course. Final Project OilRig.pdfHamzaAfzal61
 
Final Assignment.pptx
Final Assignment.pptxFinal Assignment.pptx
Final Assignment.pptxHariNathaReddy14
 
Cybersecurity.pptx
Cybersecurity.pptxCybersecurity.pptx
Cybersecurity.pptxFwem
 
Course Final Project on OceanLotus by Lino Lazarous Marino Ija
Course Final Project on OceanLotus by Lino Lazarous Marino IjaCourse Final Project on OceanLotus by Lino Lazarous Marino Ija
Course Final Project on OceanLotus by Lino Lazarous Marino IjaRight Tech Centre
 
Threat Actors - Vietnam (OceansLotus).pptx
Threat Actors - Vietnam (OceansLotus).pptxThreat Actors - Vietnam (OceansLotus).pptx
Threat Actors - Vietnam (OceansLotus).pptxMALCOMNORONHA1
 
History and future cybercrime
History and future cybercrimeHistory and future cybercrime
History and future cybercrimeOnline
 
Stuxnet
StuxnetStuxnet
StuxnetShishir Aryal
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment PresentationLionel Medina
 
penetration testing
penetration testingpenetration testing
penetration testingShitesh Sachan
 
malware analysis
malware analysismalware analysis
malware analysis20CS201AkashR
 
Cyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxCyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxChandanChandu928137
 
Ransomware attacks
Ransomware attacksRansomware attacks
Ransomware attacksTexas Medical Liability Trust
 
Introduction to cyber security amos
Introduction to cyber security amosIntroduction to cyber security amos
Introduction to cyber security amosAmos Oyoo
 
Cyber security
Cyber securityCyber security
Cyber securityChethanMp7
 
Wannacry
WannacryWannacry
WannacryAravindVV
 
The Internal Signs of Compromise
The Internal Signs of CompromiseThe Internal Signs of Compromise
The Internal Signs of CompromiseFireEye, Inc.
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Web Hacking
Web HackingWeb Hacking
Web HackingInformation Technology
 
2022 Vulnerability Statistics Report.pdf
2022 Vulnerability Statistics Report.pdf2022 Vulnerability Statistics Report.pdf
2022 Vulnerability Statistics Report.pdfssuserc3d7ec1
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)WAJAHAT IQBAL
 
Social engineering
Social engineeringSocial engineering
Social engineeringVishal Kumar
 
C3 Cyber
C3 CyberC3 Cyber
C3 CyberDeepak Kumar (D3)
 
Cyber Security Incident Response Planning
Cyber Security Incident Response PlanningCyber Security Incident Response Planning
Cyber Security Incident Response PlanningPECB
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident ResponsePECB
 
Chapter 3_Cyber Security-ccdf.pptx
Chapter 3_Cyber Security-ccdf.pptxChapter 3_Cyber Security-ccdf.pptx
Chapter 3_Cyber Security-ccdf.pptx1SI19IS064TEJASS
 
Cyber Security for Everyone Course - Final Project Presentation
Cyber Security for Everyone Course - Final Project PresentationCyber Security for Everyone Course - Final Project Presentation
Cyber Security for Everyone Course - Final Project PresentationCMR WORLD TECH
 
Cyber Security
Cyber SecurityCyber Security
Cyber SecurityCMR WORLD TECH
 

More Related Content

What's hot

Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment PresentationLionel Medina
 
Introduction to cyber security amos
Introduction to cyber security amosIntroduction to cyber security amos
Introduction to cyber security amosAmos Oyoo
 
Cyber security
Cyber securityCyber security
Cyber securityChethanMp7
 
The Internal Signs of Compromise
The Internal Signs of CompromiseThe Internal Signs of Compromise
The Internal Signs of CompromiseFireEye, Inc.
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
2022 Vulnerability Statistics Report.pdf
2022 Vulnerability Statistics Report.pdf2022 Vulnerability Statistics Report.pdf
2022 Vulnerability Statistics Report.pdfssuserc3d7ec1
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)WAJAHAT IQBAL
 
Social engineering
Social engineeringSocial engineering
Social engineeringVishal Kumar
 
Cyber Security Incident Response Planning
Cyber Security Incident Response PlanningCyber Security Incident Response Planning
Cyber Security Incident Response PlanningPECB
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident ResponsePECB
 
Chapter 3_Cyber Security-ccdf.pptx
Chapter 3_Cyber Security-ccdf.pptxChapter 3_Cyber Security-ccdf.pptx
Chapter 3_Cyber Security-ccdf.pptx1SI19IS064TEJASS
 

What's hot (20)

Vulnerability Assessment Presentation
Vulnerability Assessment PresentationVulnerability Assessment Presentation
Vulnerability Assessment Presentation
 
penetration testing
penetration testingpenetration testing
penetration testing
 
malware analysis
malware analysismalware analysis
malware analysis
 
Cyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxCyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptx
 
Ransomware attacks
Ransomware attacksRansomware attacks
Ransomware attacks
 
Introduction to cyber security amos
Introduction to cyber security amosIntroduction to cyber security amos
Introduction to cyber security amos
 
Cyber security
Cyber securityCyber security
Cyber security
 
Wannacry
WannacryWannacry
Wannacry
 
The Internal Signs of Compromise
The Internal Signs of CompromiseThe Internal Signs of Compromise
The Internal Signs of Compromise
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
Web Hacking
Web HackingWeb Hacking
Web Hacking
 
2022 Vulnerability Statistics Report.pdf
2022 Vulnerability Statistics Report.pdf2022 Vulnerability Statistics Report.pdf
2022 Vulnerability Statistics Report.pdf
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
C3 Cyber
C3 CyberC3 Cyber
C3 Cyber
 
Cyber Security Incident Response Planning
Cyber Security Incident Response PlanningCyber Security Incident Response Planning
Cyber Security Incident Response Planning
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
 
Chapter 3_Cyber Security-ccdf.pptx
Chapter 3_Cyber Security-ccdf.pptxChapter 3_Cyber Security-ccdf.pptx
Chapter 3_Cyber Security-ccdf.pptx
 

Similar to Final Project for the Cybersecurity for Everyone Course- Oilrig.pptx

Cyber Security for Everyone Course - Final Project Presentation
Cyber Security for Everyone Course - Final Project PresentationCyber Security for Everyone Course - Final Project Presentation
Cyber Security for Everyone Course - Final Project PresentationCMR WORLD TECH
 
ppt_deck_cybersecurity_for_Everyone.pptx
ppt_deck_cybersecurity_for_Everyone.pptxppt_deck_cybersecurity_for_Everyone.pptx
ppt_deck_cybersecurity_for_Everyone.pptxjmiham
 
2009 10 21 Rajgoel Trends In Financial Crimes
2009 10 21 Rajgoel Trends In Financial Crimes2009 10 21 Rajgoel Trends In Financial Crimes
2009 10 21 Rajgoel Trends In Financial CrimesRaj Goel
 
A Joint Study by National University of Singapore and IDC
A Joint Study by National University of Singapore and IDCA Joint Study by National University of Singapore and IDC
A Joint Study by National University of Singapore and IDCMicrosoft Asia
 
Application security meetup data privacy_27052021
Application security meetup data privacy_27052021Application security meetup data privacy_27052021
Application security meetup data privacy_27052021lior mazor
 
Report on Rogue Security Software: a summary
Report on Rogue Security Software: a summaryReport on Rogue Security Software: a summary
Report on Rogue Security Software: a summarySymantec Italia
 
UNVEILING THE THREAT ACTOR FOR CYBERSECURITY ASSIGNMENT.pptx
UNVEILING THE THREAT ACTOR FOR CYBERSECURITY ASSIGNMENT.pptxUNVEILING THE THREAT ACTOR FOR CYBERSECURITY ASSIGNMENT.pptx
UNVEILING THE THREAT ACTOR FOR CYBERSECURITY ASSIGNMENT.pptxchrisdeming24
 
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Black Duck by Synopsys
 
Protecting the Oil and Gas Industry from Email Threats
Protecting the Oil and Gas Industry from Email ThreatsProtecting the Oil and Gas Industry from Email Threats
Protecting the Oil and Gas Industry from Email ThreatsOPSWAT
 
Stop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by DownloadsStop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by DownloadsInvincea, Inc.
 
Year of pawnage - Ian trump
Year of pawnage - Ian trumpYear of pawnage - Ian trump
Year of pawnage - Ian trumpMAXfocus
 
Cybersecurity | Risk. Impact. Innovations.
Cybersecurity | Risk. Impact. Innovations.Cybersecurity | Risk. Impact. Innovations.
Cybersecurity | Risk. Impact. Innovations.Vertex Holdings
 
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?360mnbsu
 
What Makes Web Applications Desirable For Hackers
What Makes Web Applications Desirable For HackersWhat Makes Web Applications Desirable For Hackers
What Makes Web Applications Desirable For HackersJaime Manteiga
 
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...CODE BLUE
 
Updated Cyber Security and Fraud Prevention Tools Tactics
Updated Cyber Security and Fraud Prevention Tools TacticsUpdated Cyber Security and Fraud Prevention Tools Tactics
Updated Cyber Security and Fraud Prevention Tools TacticsBen Graybar
 

Similar to Final Project for the Cybersecurity for Everyone Course- Oilrig.pptx (20)

Cyber Security for Everyone Course - Final Project Presentation
Cyber Security for Everyone Course - Final Project PresentationCyber Security for Everyone Course - Final Project Presentation
Cyber Security for Everyone Course - Final Project Presentation
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
ppt_deck_cybersecurity_for_Everyone.pptx
ppt_deck_cybersecurity_for_Everyone.pptxppt_deck_cybersecurity_for_Everyone.pptx
ppt_deck_cybersecurity_for_Everyone.pptx
 
2009 10 21 Rajgoel Trends In Financial Crimes
2009 10 21 Rajgoel Trends In Financial Crimes2009 10 21 Rajgoel Trends In Financial Crimes
2009 10 21 Rajgoel Trends In Financial Crimes
 
A Joint Study by National University of Singapore and IDC
A Joint Study by National University of Singapore and IDCA Joint Study by National University of Singapore and IDC
A Joint Study by National University of Singapore and IDC
 
Application security meetup data privacy_27052021
Application security meetup data privacy_27052021Application security meetup data privacy_27052021
Application security meetup data privacy_27052021
 
Report on Rogue Security Software: a summary
Report on Rogue Security Software: a summaryReport on Rogue Security Software: a summary
Report on Rogue Security Software: a summary
 
UNVEILING THE THREAT ACTOR FOR CYBERSECURITY ASSIGNMENT.pptx
UNVEILING THE THREAT ACTOR FOR CYBERSECURITY ASSIGNMENT.pptxUNVEILING THE THREAT ACTOR FOR CYBERSECURITY ASSIGNMENT.pptx
UNVEILING THE THREAT ACTOR FOR CYBERSECURITY ASSIGNMENT.pptx
 
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
Open Source Insight: You Can’t Beat Hackers and the Pentagon Moves into Open...
 
Protecting the Oil and Gas Industry from Email Threats
Protecting the Oil and Gas Industry from Email ThreatsProtecting the Oil and Gas Industry from Email Threats
Protecting the Oil and Gas Industry from Email Threats
 
File000154
File000154File000154
File000154
 
File000095
File000095File000095
File000095
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber Resilience
 
Stop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by DownloadsStop Watering Holes, Spear-Phishing and Drive-by Downloads
Stop Watering Holes, Spear-Phishing and Drive-by Downloads
 
Year of pawnage - Ian trump
Year of pawnage - Ian trumpYear of pawnage - Ian trump
Year of pawnage - Ian trump
 
Cybersecurity | Risk. Impact. Innovations.
Cybersecurity | Risk. Impact. Innovations.Cybersecurity | Risk. Impact. Innovations.
Cybersecurity | Risk. Impact. Innovations.
 
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?
Brian Isle: The Internet of Things: Manufacturing Panacea - or - Hacker's Dream?
 
What Makes Web Applications Desirable For Hackers
What Makes Web Applications Desirable For HackersWhat Makes Web Applications Desirable For Hackers
What Makes Web Applications Desirable For Hackers
 
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
[CB19] Cyber Threat Landscape in Japan – Revealing Threat in the Shadow by C...
 
Updated Cyber Security and Fraud Prevention Tools Tactics
Updated Cyber Security and Fraud Prevention Tools TacticsUpdated Cyber Security and Fraud Prevention Tools Tactics
Updated Cyber Security and Fraud Prevention Tools Tactics
 

Recently uploaded

WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 

Recently uploaded (20)

WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 

Final Project for the Cybersecurity for Everyone Course- Oilrig.pptx

  • 1. Final Project for the Cybersecurity for Everyone Course: Oilrig By: Mustofa Abdulhafiz Ahmed
  • 2. Hackers are not all the same; they range in skill, resources, and capability and often go by different names. How would you classify this threat actor? Do they go by any aliases? Where are they from? How would you rate the skill level and resources available to this threat actor? OilRig has been classed as an Advanced Persistent Threat due to the multiple attacks it has undertaken, each of which has varied in efficacy (APT). The Iranian government is behind OilRig. Cobalt Gypsy is one of their other identities, while others include IRN2, Helix Kitten, Twisted Kitten, and APT34. According to a Forbes article from the Israeli IT business ClearSky, OilRig's roots may be traced back to Iran, and the Counter Threat Unit of the cyber intelligence company SecureWorks is positive that the group is tied to the Iranian government. They've had success in the Middle East while doing the majority of their business elsewhere. OilRig targets businesses outside of Iran, whereas the vast majority of Iranian threat actors target government institutions and opposition figures. OilRig is confident in its ability to carry out any activity that is expected to benefit Iran because it works with or for the (Islamic Republic of) Iran. Similarly to the Mabna Institute incident, the Islamic Revolutionary Guard Corps enlisted an Iranian institution (Mabna Institute) to carry out a massive spear phishing campaign, resulting in the loss of 31.5 gigabytes of academic data and 3.4 billion dollars in intellectual property (IP).
  • 3. Hackers are motivated to act for specific reasons. What are the motivations of your threat actor? What is the specific geo-political context they are operating in and what insight does that give you for why they are operating in this manner? OilRig espionage, according to the Council on Foreign Relations, targets private-sector and government organizations. According to Merriam-Webster, espionage is the action of spying or utilizing spies to obtain information about a foreign government's or a competing enterprise's goals and operations. The Cambridge Economic English Dictionary defines it as "the act of secretly obtaining and reporting information, particularly covert political, military, business, or industrial intelligence." According to the Middle East Institute (MEI), "many countries stopped doing business with Iran as a result of the Iranian Revolution of 1979, and so stealing academic and corporate information from around the world allows it to renew infrastructure and build technologies that it simply cannot purchase abroad, ranging from weaponry to airplane parachute."" Because Iran is subject to economic sanctions, they rely on what many refer to as "soft war" (less regulated and low-level combat for lengthy periods of time) in cyberspace with public and commercial sectors of adversary nations as their objective. MEI also anticipated that Iran-linked organisations will focus on two cyber activities in the medium and long term: international election meddling and widespread intellectual property theft (IP).
  • 4. OilRig Attack Case Studies: The Hacking Process Tactics on Their Targets and the Primary, Secondary, and Second Order Effects • Attack 1: An attack on an oil rig utilizing AI Squared software. • Attack 2: An Oilrig assault masquerading as Oxford University • Attack 3-Attack on Al Elm and Samba Financial Group by OilRig • Attack 4-Attack on Job Seekers by Oil Rigs • Attack 5-Attack on Israeli IT providers by OilRig
  • 5. Attack 1-AI Squared software is used in an oil rig attack • AI Squared, a tiny, mission-driven tech business based in Vermont, developed software to aid visually impaired internet users. According to Forbes, security firm Symantec told AI Squared that certifications for technology used to authenticate its authenticity had been compromised, implying that a threat actor (OilRig) obtained AI Squared's signing key and certificates and used them to hide their own malware. • The plan was to use the visually impaired software as a surveillance tool while seeming genuine to security systems in the Middle East, Europe, and the United States. When the digital certificate required to certify newer ZoomText and Window-Eyes software products was compromised, their certification was cancelled, according to a notice on the AI Squared website in 2017.
  • 6. Attack 1 • Reconnaissance: The AI Squared tech business, according to OilRig, has software that will allow the gang to quickly locate its victims in the Middle East, Europe, and the United States, where they have a large number of targets. • Weaponization: Oilrig is said to have gotten AI Square's signing key and certificate and is using it to construct their own malware. The majority of individuals have considered adopting AI Square's (previously hacked) software to assist the visually handicapped in accessing the internet. • Installation and Exploitation: To guarantee that the program works properly, users must install and test it on their PCs. • Command and Control: By installing the program (malware) unknowingly, victims give the OilRig gang with information that may be exploited to gain access to bigger networks. • OilRig has infected blind software with malware for espionage purposes. The fundamental result is that the end host gets exploited. • As a result, the following income, reputation, and macroeconomic effects have occurred: Sales would be lower than predicted since Oilrig's spying spyware tainted the application. Customers would then utilize reputation to locate new software that provides the same sort of service. Macroeconomics: If the program becomes polluted, the personnel working on it may change. • Second Order Information/Perception Effect: Anyone with access to the programmer could get the impression that the business is just a cover for spying.
  • 7. Attack 2 - Attack by OilRig posing as Oxford University • In November 2016, the OilRig group registered two phoney Oxford University pages, according to ClearSky. The first is a website for registering for conferences, while the second claims to offer employment within the company. • On both pages, there was a download button that visitors could use. The fictional event's registration form is in one file, and an Oxford University CV builder is in the other. After clicking, victims unknowingly give data to Helminth, the malware that OilRig uses to hijack the PC and steal data, without even realising it.
  • 8. Attack 2 • Reconnaissance - OilRig created bogus Oxford University websites to attack multiple targets at once. • Weaponization - Two fictitious Oxford University websites were made by OilRig, one of which appeared to be a job board and the other to be a place to sign up for conferences. • Delivery - People who are interested in working for Oxford or attending a conference that Oxford is hosting are sure to adhere to the fictitious page requirements. • Installation and Exploitation - The victims, once on the fake website/s are encouraged to fill-up what seem to be a normal registration form and download files that are infected by OilRig’s surveillance malware. • Control & Command - OilRig now has access to the computers with Helminth malware infections and has gathered the basic information of their victims because people registered and downloaded files from the bogus websites. • Initial Impact - Utilization of the End Host: OilRig considered gathering personal data through the fictitious Oxford website they developed. • Secondary Impact on Credibility: Oxford University's reputation will undoubtedly suffer as a result of the fake website's use of their name and other identifiers. • Second-order effects on perception and information: Everyone who provided personal information and registered on the fictitious Oxford websites would now choose different universities to be affiliated with, which is a regrettable development.
  • 9. Attack 3 - Attack by the OilRig on Samba Financial Group and Al Elm • According to a 2017 Forbes article, the group started conducting phishing attacks in May 2016 from servers owned by Saudi Arabian contractor and IT security Al-Elm. The email was inserted into a discussion between Saudi Arabian lender Samba Financial Group and Al-Elm. The email had an Excel attachment called "notes.xls," which when opened by the recipient would launch a Helminth surveillance kit from OilRig. • In the case of Al-Elm, analysis of the phishing emails' headers revealed that they originated from within the sender's company and that "the threat actor previously compromised those organisations," according to SecureWorks intelligence analyst Allison Wikoff.
  • 10. Attack 3 • Reconnaissance - Here, the Samba Financial Group is highlighted, which reported a profit of $290 million for the most recent quarter of the previous year. • Weaponization -The OilRig group decided to use Al-"previously Elm's compromised" network to communicate with Samba Financial Group. • Delivery - Al-Elm and Samba Financial Group exchanged emails, and one of them contained the OilRig's Helminth spying programme. • Installation and Exploitation: After the email has been sent, anyone who opens the "notes.xls" excel attachment will have the Helminth surveillance kit installed on their computer. • Control & Command - After opening the email, everything might appear to be in order, but OilRig has installed the surveillance kit, giving them access to that computer and perhaps the company's network. • Initial Impact - Use of the End Host: OilRig sent emails containing Helminth surveillance kits to Al-Elm Security and Samba Financial Group through phishing attacks. • Secondary effects on reputational damage and remediation Remediation: Depending on how badly it was affected, the infected devices from both ends would now be scanned, cleaned, and possibly replaced. Reputation: Threat actors should be prevented from interfering with IT security companies' client relationships, which will have an impact on those companies' reputations. • Second-order effects on perception and information: Due to the phishing emails sent, both businesses will now proceed with great caution when creating new business alliances.
  • 11. Attack 4 - Attack by oil rig on job seekers • The cyber intelligence firm SecureWorks, which refers to the OilRig crew as Cobalt Gypsy, asserts in the same report from the earlier incident that the group has been sending emails containing malware from legitimate email addresses belonging to two Egyptian and one of the biggest IT service providers in Saudi Arabia, the National Technology Group, and the National Technology Group. • These email addresses were used to send emails to an unnamed Middle Eastern organization with links to job offers. The attachments contained PupyRAT, an open-source remote access trojan (RAT) that works on Android, Linux, and Windows platforms.
  • 12. Attack 4 • Reconnaissance - The OilRig intended to attack an unnamed entity, but they decided to go after the Middle East instead. • Weaponization - OilRig Group decided to send a malicious email using National Technology Group, a Saudi Arabian IT supplier, and ITWorx, an Egyptian IT service provider. • Delivery - OilRig sent their victims alluring job offers via email accounts owned by IT firms. • Installation and Exploitation – When recipients clicked on the email's link attachment, an opensource remote access trojan was waiting for them. • Control & Command - After the link has been clicked, the malware will start to gather login information from the user and the computer. • Initial Impact - Use of the End Host: OilRig sent emails to a range of targets that were infected with an open- source remote access trojan and contained links to job offers from reputable IT companies. • Reputational consequences as a byproduct: - Candidates should think twice before accepting a position with an IT company, even though the job offers might be legitimate now that they can track the PupyRAT's origin and link it to their own devices. • Effect of second order on information and perception: The companies run the risk of developing a negative reputation for monitoring both past and present customers.
  • 13. Attack 5 - Attack by the OilRig on Israeli IT vendors • The research team at ClearSky claims that OilRig used a compromised account to send emails to a number of targeted Israeli IT vendors. • The victim is asked to install a genuine Juniper VPN programme after entering their login information, and this programme has been bundled with Helminth, malware that the group frequently employs for surveillance. • It is a simple email asking for assistance with details regarding the fictitious customer.
  • 14. Attack 5 • Reconnaissance - The OilRig believes that because Israel is their intended target, attacking IT vendors will assist them in breaking into crucial networks. • Weaponization -It's a given that OilRig already has access to hacked user accounts from different Israeli IT vendors. • Delivery - In an email to the vendors, the group poses as a real customer and requests assistance. • Installation and Exploitation - The victim is then prompted to download a Juniper VPN in order to continue when they attempt to access the user's account using the provided credentials. They include their trustworthy Juniper VPN along with the spying malware Helminth. • Control & Command - OilRig would then have access to the device and many other client/customer emails that utilise their services after a successful installation. • Initial Impact - Utilization of the End Host: OilRig disguised themselves as customers who needed help because they were interested in breaking into Israeli networks. • Secondary Impact on Cleanup: Remediation - Some employees of the company may have carried out the threat actor's instructions because it is their responsibility to maintain customer satisfaction. As a result, businesses may need to inspect, maintain, or upgrade their equipment. • Effect of second order on information and perception: People who use the VPN may be concerned that their devices have the surveillance malware Helminth because it is connected to a legitimate Juniper VPN.
  • 15. Not all hackers represent a strategic problem for policy makers. How would you characterize your threat actor, are they chiefly a private problem for businesses or a public concern for policy makers? How should policy makers respond? • The range of OilRig's targets makes them an Advanced Persistent Threat (APT). Their primary activity is espionage; instead of erasing or altering anything they gain access to, they simply sit back and relax while their Helminth malware completes its work. They have used compromised email to obtain stolen information for the majority of their espionage operations. Targeting private industries is something OilRig is interested in doing, and they use mostly subtle methods like phishing. They pose a clear threat to businesses, but because these organisations have connections with both private and public institutions, one email could give them access to a powerful corporation or government office, making them both a private issue and a public one. They pose a clear threat to businesses, but because these organisations are connected to both private and public institutions, one email could give them access to a powerful corporation or government office, making them a problem for both individuals and the general public. The best course of action would be to impose more economic sanctions since OilRig has been identified as an Iranian threat actor.
  • 16. Not all hackers represent a strategic problem for policy makers. How would you characterize your threat actor, are they chiefly a private problem for businesses or a public concern for policy makers? How should policy makers respond? • The amount of pressure that one nation could exert on Iran to make good on any harm caused by cyber espionage was limited. It is feasible, but it could take a very long time, and once any secrets are compromised, they cannot be replaced. If Iran agrees or if other nations share their concerns, policymakers could work together to craft treaties that would penalise and deter threat actors from coming from Iran. There should be clear punishments for any cyber-related activities, such as espionage, coming from any group that could be traced back to or is supported by Iran, rather than financial incentives, if a group of nations wants to rewrite the Iran Nuclear Deal in the future.
  • 17. Reference • https://www.forbes.com/sites/thomasbrewster/2017/02/15/oilrig-iran-hackers-cyberespionage-us-turkey- saudi-arabia/?sh=4c88925f468a • https://www.merriam-webster.com/dictionary/espionage • https://microsites-live-backend.cfr.org/interactive/cyber-operations/oilrig • https://www.cfr.org/backgrounder/what-iran-nuclear-deal • https://www.mei.edu/publications/irans-cyber-future • https://www.justice.gov/opa/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf- islamic-revolutionaryhttps://www.clearskysec.com/oilrig/ • https://attack.mitre.org/groups/G0049/ • https://dictionary.cambridge.org/us/dictionary/english/espionage