Cyber Security

Cybersecurity for Everyone Course
FINAL PROJECT - OILRIG
BY: CESAR MURILO RIBEIRO

OilRig Attack Case Studies: The Hacking Process Tactics on Their Targets.
The Primary, Secondary, and Second Order Effects
•
Attack 1: An attack on an oil rig utilizing Al Squared software.
•
Attack 2: An Oilrig assault masquerading as Oxford University
•
Attack 3-Attack on Al Elm and Samba Financial Group by OilRig
•
Attack 4-Attack on Job Seekers by Oil Rigs
•
Attack 5-Attack on Israeli IT providers by Oil Rigs FINAL PROJECT - OILRIG

Hackers arenot all the same; they rangein skill, resources, and capability and often go by differentnames. How would you classify this threat actor? Do
they go by any aliases? Whereare they from? How would you ratethe skill level and resources availableto this threat actor? OilRig has been classed as
an Advanced PersistentThreatdue to the multiple attacks it has undertaken, each of which has varied in efficacy (APT). TheIranian governmentis
behind OilRig. Cobalt Gypsy is oneof their other identities, while others include IRN2, Helix Kitten, Twisted Kitten, and APT34. According to a Forbes
article from the IsraeliITbusiness ClearSky, OilRig's roots may betraced back to Iran, and the Counter Threat Unit of the cyber intelligence company
SecureWorks is positivethat the group is tied to the Iranian government. They'vehad success in the Middle East while doing the majority
of their business elsewhere. OilRig targets businesses outsideof Iran, whereas thevastmajority of Iranian threatactors targetgovernmentinstitutions
and opposition figures. OilRig is confident in its ability to carry out any activity that is expected to benefit Iran becauseit works with or for the (Islamic
Republic of) Iran. Similarly to the Mabna Instituteincident, the Islamic Revolutionary Guard Corps enlisted an Iranian institution(Mabna Institute) to
carry out a massivespear phishing campaign, resulting in the loss of 31.5 gigabytes of academic data and 3.4 billion
dollars in intellectual property (IP).

Hackers are motivated to act for specific reasons. What are the motivations of your threat actor? What is the
specific geo-political context they are operating in and what
insight does that give you for why they are operating in this manner? OilRig espionage, according to the
Council on Foreign Relations, targets private-sector and government organizations. According to Merriam-
Webster, espionage is the action of spying or utilizing spies to obtain information about a foreign
government's or a competing enterprise's goals and operations. The Cambridge Economic English Dictionary
defines it as "the act of secretly obtaining and reporting information, particularly covert political, military,
business, or industrial
intelligence." According to the Middle East Institute (MEl), "many countries stopped doing business with Iran
as a result of the Iranian Revolution of 1979, and so stealing academic and corporate information from
around the world allows it to renew infrastructure and build technologies that it simply cannot
purchase abroad, ranging from weaponry to airplane parachute.
'' Because Iran is subject to economic sanctions, they rely on what many refer to as "soft war" (less regulated
and low-level combat for lengthy periods of time) in cyberspace with public and commercial sectors of
adversary nations as their objective. MEl also anticipated that Iran-linked organisations will focus on two
cyber activities in the medium and long term: international election meddling and widespread intellectual
property theft (IP).

Attack 1-Al Squared software is used in an oil rig attack
•
Al Squared, a tiny, mission-driven tech business based in Vermont, developed software to aid visually impaired
internet users. According to Forbes, security firm Symantec told Al Squared that certifications for technology used to
authenticate its authenticity had been compromised, implying that a threat actor (OilRig) obtained Al Squared's signing
key and certificates and used them to hide their own malware.
•
The plan was to use the visually impaired software as a surveillance tool while seeming genuine to security systems
in the Middle East, Europe, and the United States. When the digital certificate required to certify newer ZoomText and
Window-Eyes software products was compromised, their certification was cancelled, according to a notice on the Al
Squared website in 2017.

Attack 1
•
Reconnaissance: The Al Squared tech business, according to OilRig, has software that will allow the gang to quickly
locate its victims in the Middle East, Europe, and the United States, where they have a large number of targets.
•
Weaponization: Oilrig is said to have gotten Al Square's signing key and certificate and is using it to construct their
own malware. The majority of individuals have considered adopting Al Square's (previously hacked) software to assist
the visually handicapped in accessing the internet.
•
Installation and Exploitation: To guarantee that the program works properly, users must install and test it on their PCs.
•
Command and Control: By installing the program (malware) unknowingly, victims give the OilRig gang with
information that may be exploited to gain access to bigger networks.
•
OilRig has infected blind software with malware for espionage purposes. The fundamental result is that the end host
gets exploited.
•
As a result, the following income, reputation, and macroeconomic effects have occurred: Sales would be lower than
predicted since Oilrig's spying spyware tainted the application. Customers would then utilize reputation to locate new
software that provides the same sort of service. Macroeconomics: If the program becomes polluted, the personnel
working on it may change.
•
Second Order Information/Perception Effect: Anyone with access to the programmer could get the impression that
the business is just a cover for spying.

Attack 2 - Attack by OilRig posing as Oxford University
•
In November 2016, the OilRig group registered two phoney Oxford University pages, according to ClearSky. The first
is a website for registering for conferences, while the second claims to offer employment within the company.
•
On both pages, there was a download button that visitors could use. The fictional event's registration form is in one
file, and an Oxford University CV builder is in the other. After clicking, victims unknowingly give data to Helminth, the
malware that OilRig uses to hijack the PC and steal data, without even realising it.

Attack 2
•
Reconnaissance - OilRig created bogus Oxford University websites to attack multiple targets at once.
•
Weaponization - Two fictitious Oxford University websites were made by OilRig, one of which appeared to be a job
board and the other to be a place to sign up for conferences.
•
Delivery - People who are interested in working for Oxford or attending a conference that Oxford is hosting are sure
to adhere to the fictitious page requirements.
•
Installation and Exploitation - The victims, once on the fake website/s are encouraged to fill-up what seem to be a
normal registration form and download files that are infected by OilRig's surveillance malware.
•
Control & Command - OilRig now has access to the computers with Helminth malware infections and has gathered
the basic information of their victims because people registered and downloaded files from the bogus websites.
•
Initial Impact - Utilization of the End Host: OilRig considered gathering personal data through the fictitious
Oxford website they developed.
•
Secondary Impact on Credibility: Oxford University's reputation will undoubtedly suffer as a result of the fake
website's use of their name and other identifiers.
•
Second-order effects on perception and information: Everyone who provided personal information and registered on
the fictitious Oxford websites would now choose different universities to be affiliated with, which is a regrettable
development. FINAL PROJECT - OILRIG

Attack 3 - Attack by the OilRig on Samba Financial Group and Al Elm
•
According to a 2017 Forbes article, the group started conducting phishing attacks in May 2016 from servers owned
by Saudi Arabian contractor and IT security Al-Elm. The email was inserted into a discussion between Saudi Arabian
lender Samba Financial Group and Al-Elm. The email had an Excel attachment called "notes.xls," which when opened
by the recipient would launch a Helminth surveillance kit from OilRig.
•
In the case of Al-Elm, analysis of the phishing emails' headers revealed that they originated from within the sender's
company and that "the threat actor previously compromised those organisations," according to SecureWorks
intelligence analyst Allison Wikoff.

Attack 3
•
Reconnaissance - Here, the Samba Financial Group is highlighted, which reported a profit of $290 million for the
most recent quarter of the previous year.
•
Weaponization -The OilRig group decided to use Al-"previously Elm's compromised" network to communicate with
Samba Financial Group.
•
Delivery - Al-Elm and Samba Financial Group exchanged emails, and one of them contained the OilRig's
• Helminth spying programme.
•
Installation and Exploitation: After the email has been sent, anyone who opens the "notes.xls" excel attachment will
have the Helminth surveillance kit installed on their computer.
•
Control & Command - After opening the email, everything might appear to be in order, but OilRig has installed the
surveillance kit, giving them access to that computer and perhaps the company's network.
•
Initial Impact - Use of the End Host: OilRig sent emails containing Helminth surveillance kits to Al-Elm Security and
Samba Financial Group through phishing attacks.
•
Secondary effects on reputational damage and remediation Remediation: Depending on how badly it was affected,
the infected devices from both ends would now be scanned, cleaned, and possibly replaced.
Reputation: Threat actors should be prevented from interfering with IT security companies' client relationships, which
will have an impact on those companies' reputations.
•
Second-order effects on perception and information: Due to the phishing emails sent, both businesses will now
proceed with great caution when creating new business alliances.

Attack 4 - Attack by oil rig on job seekers
•
The cyber intelligence firm SecureWorks, which refers to the OilRig crew as Cobalt Gypsy, asserts in the same report
from the earlier incident that the group has been sending emails containing malware from legitimate email addresses
belonging to two Egyptian and one of the biggest IT service providers in Saudi Arabia, the National Technology Group,
and the National Technology Group.
•
These email addresses were used to send emails to an unnamed Middle Eastern organization with links to job offers.
The attachments contained PupyRAT, an open-source remote access trojan (RAT) that works on Android, Linux, and
Windows platforms.

Attack 4
•
Reconnaissance - The OilRig intended to attack an unnamed entity, but they decided to go after the Middle East
instead.
•
Weaponization - OilRig Group decided to send a malicious email using National Technology Group, a Saudi Arabian
IT supplier, and ITWorx, an Egyptian IT service provider.
•
Delivery - OilRig sent their victims alluring job offers via email accounts owned by IT firms.
•
Installation and Exploitation - When recipients clicked on the email's link attachment, an opensource remote access
trojan was waiting for them.
•
Control & Command - After the link has been clicked, the malware will start to gather login information from the user
and the computer.
•
Initial Impact - Use of the End Host: OilRig sent emails to a range of targets that were infected with an open-source
remote access trojan and contained links to job offers from reputable IT companies.
•
Reputational consequences as a byproduct: - Candidates should think twice before accepting a position with an IT
company, even though the job offers might be legitimate now that they can track the PupyRAT's origin and link it to their
own devices.
•
Effect of second order on information and perception: The companies run the risk of developing a negative reputation
for monitoring both past and present customers.

•Attack 5
•
Reconnaissance - The OilRig believes that because Israel is their intended target, attacking IT vendors will assist them
in breaking into crucial networks.
•
Weaponization -It's a given that OilRig already has access to hacked user accounts from different Israeli IT
• vendors.
•
Delivery - In an email to the vendors, the group poses as a real customer and requests assistance.
•
Installation and Exploitation - The victim is then prompted to download a Juniper VPN in order to continue when they
attempt to access the user's account using the provided credentials. They include their trustworthy Juniper VPN along
with the spying malware Helminth.
•
Control & Command - OilRig would then have access to the device and many other client/customer emails that utilise
their services after a successful installation.
•
Initial Impact - Utilization of the End Host: OilRig disguised themselves as customers who needed help because they
were interested in breaking into Israeli networks.
•
Secondary Impact on Cleanup: Remediation - Some employees of the company may have carried out the threat
actor's instructions because it is their responsibility to maintain customer satisfaction. As a result, businesses may need
to inspect, maintain, or upgrade their equipment.
•
Effect of second order on information and perception: People who use the VPN may be concerned that their devices
have the surveillance malware Helminth because it is connected to a legitimate Juniper VPN.

Not all hackers represent a strategic problem for policy makers. How would you characterize your threat actor, are they chiefly a
private problem for businesses or a
public concern for policy makers? How should policy makers respond? • The range of OilRig's targets makes them an Advanced
Persistent Threat (APT). Their primary activity is espionage; instead of erasing or altering anything they gain access to, they simply sit
back and relax while their Helminth malware completes its work. They have used compromised email to obtain stolen information for
the majority of their espionage operations. Targeting private industries is something OilRig is interested in doing, and they use mostly
subtle methods like phishing. They pose a clear threat to businesses, but because these organisations have connections with both
private and public institutions, one email could give them access to apowerful corporation or government office, making them both a
private issue and a public one. They pose a clear threat to businesses, but because these organisations are connected to both private
and public institutions, one email could give them access to a powerful corporation or government office, making them a problem for
both individuals and the general public. The best course of action would be to impose more economic sanctions since OilRig has been
identified as
an Iranian threat actor.

•Not all hackers represent a strategic problem for policy makers. How would you characterize your threat actor, are they chiefly a
private problem for businesses or a
•public concern for policy makers? How should policy makers respond? • The amount of pressure that one nation could exert on Iran
to make good on any harm caused by cyber espionage was limited. It is feasible, but it could take a very long time, and once any
secrets are compromised, they cannot be replaced. If Iran agrees or if other nations share their concerns, policymakers could work
together to craft treaties that would penalise and deter threat actors from coming from Iran. There should be clear punishments for
any cyber-related activities, such as espionage, coming from any group that could be traced back to or is supported by Iran, rather
than financial incentives, if a group of nations wants to rewrite the Iran Nuclear Deal in the
•future.

Cyber Security

More Related Content

Similar to Cyber Security

More from CMR WORLD TECH

Recently uploaded

Cyber Security