3. Skills, Resources and
Capabilities
OilRig is a state-sponsored hacking
group associated with the Iranian
government. It is also known by other
names, such as APT34 and Helix
Kitten. OilRig is believed to be based
in Iran and primarily targets
organizations in the Middle East,
although they have also targeted
organizations in Europe and the
United States.
4. They have been associated with several
advanced persistent threats (APTs) and have
proven that they are capable of carrying out
complex attacks that involve multiple stages and
techniques.
They are also known to use social engineering
tactics to trick their targets into revealing
confidential information or downloading malware.
OilRig has been active since at least 2014 and has been involved in several
high-profile attacks. OilRig is considered to be a sophisticated hacking
group with significant resources in terms of capabilities and resources.
5. Since OilRigis works with/for (the
Islamic Republic of) Iran, it certainly
has sufficient resources to carry out
any operation that might benefit
Iran. As in the case of the Mabna
Institute, where an Iranian
organization (MabnaInstitute) was
tasked by the Islamic Revolutionary
Guard Corps to conduct a massive
spear phishing campaign that stole
intellectual property worth a total of
$3.4 billion and 31.5 terabytes of
academic data.
6. MOTIVATIONS
OilRigis is believed to be a
state-sponsored group working
on behalf of the Iranian
government. The motivations for
their activities can be seen in the
geopolitical context in which they
operate.
It operates with the support of
Iranian intelligence and the
Islamic Revolutionary Guard
Corps
7. OilRig targets private and government entities and
defines espionage as the practice of spying or using
spies to obtain information about the plans and
activities of, in particular, a foreign government or
competing entity, especially secret political,
military, business, financial, aviation, infrastructure,
governmental, and educational or industrial
information.
8. In a geopolitical context, Iran has
always been at enmity with its
neighbors in the region and Western
countries for many reasons, and
according to the Middle East
Institute (MEI), "many countries have
ceased doing business with Iran
because of the 1979 Iranian
Revolution, so the theft of academic
and business information from
around the world allows Iran to
renew its infrastructure and develop
technologies it simply cannot buy
abroad, from weapons to aircraft
parts."
10. Reconnaissance: The attacker gathers information about the target
organization. Harvesting email addresses, conference information, etc.
Weaponization: Coupling exploit with backdoor into deliverable
payload, customized RDAT, DNS-over-HTTPs and phishing websites
Delivery: OilRig uses a variety of delivery methods, such as
weaponized bundle to the victim via email, web, USB, etc.
Exploitation: Exploiting a vulnerability to execute code on victim’s
system. Probably via unpatched software, using stolen credentials, and
conducting brute-force attacks.
Installation: Installing malware on the asset using remote access tools and exploiting vulnerabilities in
the system.
Command & Control: command channel for remote manipulation of victim. They could use a variety
of C2 channels, including IRC, HTTPS, and DNS.
Actions on Objectives: With ‘Hands on Keyboard’ access, intruders accomplish their original goals
11. END-EFFECTS / CASE STUDY
OilRig was linked to the Shamoon 2 attack, which
targeted Saudi Arabian government agencies and
organizations.
The primary effect was the destruction of data on
thousands of computers, causing significant
disruption and damage to the targeted organizations.
Shamoon 2 (2016):
The secondary effect was the loss of trust in the affected organizations, as they
were unable to protect their data from a major cyberattack.
The second-order effect was the impact on the wider economy, as
businesses and industries in the region were disrupted due to the attack.
12. STRATEGIC IMPACT
OilRig is a state-sponsored hacking group that
poses a significant threat to businesses,
governments, and other organizations in the
Middle East and beyond. The group is known
for attacking government agencies, financial
institutions, and critical infrastructure, among
other things. Because OilRig is
state-sponsored, the group's activities are of
public interest to policymakers because they
pose a potential threat to national security and
the stability of the global economy.
13. These types of groups are of public
interest to policymakers because of
their state-sponsored activities and
their potential impact on national
security and global stability. A
comprehensive approach to
cybersecurity, including enhanced
defenses, international cooperation,
and diplomatic and economic
measures, can help mitigate the threat