The Ocean Lotus APT group is a hacker group operating against both private and government organizations and their opponents since 2014.
Vietnam-based threat actor that has been the group which has compromised various industries like manufacturing, network security, technology infrastructure, banking, media, and consumer products. Their signature malware payload includes WINDSHIELD, KOMPROGO, SOUNDBITE, and PHOREAL..
Ocean Lotus Main Motive is Information theft & Espionage.
Ocean Lotus uses Hacking Methods Like Watering Hole, Spear Phishing, APT32 [Mandiant], Ocean Lotus [SkyEye Labs].
Other Names of Ocean Lotus are Ocean Buffalo [Crowd Strike], Tin Woodlawn [SecureWorks].
The targets of the Ocean Lotus group are generally foreign companies with sure success and interests in Vietnam’s hospitality, manufacturing, and consumer goods sectors. As well as the private sector, the Ocean Lotus group targets politicians and journalists opposed to the Vietnamese government.
Our deep dive into OceanLotus’s latest marauding campaigns shows that the group isn’t letting up in its efforts and combines legitimate code and publicly available tools with its own harmful creations.
Information Security Awareness
Tips to improve infosec awareness in any organization
To learn more visit http://www.SnapComms.com/solutions/employee-security-awareness
The Ocean Lotus APT group is a hacker group operating against both private and government organizations and their opponents since 2014.
Vietnam-based threat actor that has been the group which has compromised various industries like manufacturing, network security, technology infrastructure, banking, media, and consumer products. Their signature malware payload includes WINDSHIELD, KOMPROGO, SOUNDBITE, and PHOREAL..
Ocean Lotus Main Motive is Information theft & Espionage.
Ocean Lotus uses Hacking Methods Like Watering Hole, Spear Phishing, APT32 [Mandiant], Ocean Lotus [SkyEye Labs].
Other Names of Ocean Lotus are Ocean Buffalo [Crowd Strike], Tin Woodlawn [SecureWorks].
The targets of the Ocean Lotus group are generally foreign companies with sure success and interests in Vietnam’s hospitality, manufacturing, and consumer goods sectors. As well as the private sector, the Ocean Lotus group targets politicians and journalists opposed to the Vietnamese government.
Our deep dive into OceanLotus’s latest marauding campaigns shows that the group isn’t letting up in its efforts and combines legitimate code and publicly available tools with its own harmful creations.
Information Security Awareness
Tips to improve infosec awareness in any organization
To learn more visit http://www.SnapComms.com/solutions/employee-security-awareness
Information Security Awareness for everyoneYasir Nafees
SAFE (which stands for Security Awareness For Everyone) is an information security awareness program designed to help organizations creating a well informed and risk-aware culture. SAFE focuses on learning to make it important for everyone to be fully informed and take responsibility to protect organization’s most important asset, “The Information”.
Phishing Attacks - Are You Ready to Respond?Splunk
Phishing and Spear Phishing attacks are the number one starting point for most large data breaches. But there is currently no efficient prevention technology available to mitigate this risk. Learn what capabilities organizations need to have in order to respond to phishing attacks and lower the risk.
- Learn how to detect and respond to phishing attacks
- Understand how an average user behaves when faced with a phishing attack and why they are so successful
- Get insight into the questions that you will need to answer if a phishing campaign is running against your organisation
- Learn the capabilities organisations will need to have in order to answer those questions and protect against phishing attacks
- Learn how you improve your incident response capabilities
Infections cost organizations billions of dollars in lost time and productivity, as well as ransom payments and other indirect costs, like damage to a business’s reputation.
End-users will learn about password management, multi-factor authentication and how to secure their laptops and desktops while working remotely.
This session will teach professionals how to avoid becoming a statistic.
Agenda: Foundations of security awareness | Common threats | Three ways to secure your work environment | Best practices for users | The work from home checklist
Playbooks define the procedures for security event investigation and response. Phishing - Template allows you to perform a series of tasks designed to handle spear phishing emails on your network.
Employee Awareness in Cyber Security - KloudlearnKloudLearn
The goal of employee awareness in cybersecurity is to make employees aware of the procedures, policies, guidelines, and practices for configuring, managing, and executing cybersecurity in the organization.
Different Methodology To Recon Your TargetsEslamAkl
"Different methodology to Recon your targets" is a technical session which presented at CAT Reloaded CyberSecurity circle.
Eslam Akl
Penetration tester
How to Build Your Own Physical Pentesting Go-bagBeau Bullock
Whenever an attacker decides to attempt to compromise an organization they have a few options. They can try to send phishing emails, attempt to break in through an externally facing system, or if those two fail, an attacker may have to resort to attacks that require physical access. Having the right tools in the toolkit can determine whether a physical attacker is successful or not. In this talk we will discuss a number of different physical devices that should be in every physical pentester’s go-bag.
Stealing credentials from a locked computer, getting command and control access out of a network, installing your own unauthorized devices, and cloning access badges are some of the topics we will highlight. We will demo these devices from our own personal go-bags live. Specific use cases for each of the various devices will be discussed including build lists for some custom hardware devices.
Information Security Awareness for everyoneYasir Nafees
SAFE (which stands for Security Awareness For Everyone) is an information security awareness program designed to help organizations creating a well informed and risk-aware culture. SAFE focuses on learning to make it important for everyone to be fully informed and take responsibility to protect organization’s most important asset, “The Information”.
Phishing Attacks - Are You Ready to Respond?Splunk
Phishing and Spear Phishing attacks are the number one starting point for most large data breaches. But there is currently no efficient prevention technology available to mitigate this risk. Learn what capabilities organizations need to have in order to respond to phishing attacks and lower the risk.
- Learn how to detect and respond to phishing attacks
- Understand how an average user behaves when faced with a phishing attack and why they are so successful
- Get insight into the questions that you will need to answer if a phishing campaign is running against your organisation
- Learn the capabilities organisations will need to have in order to answer those questions and protect against phishing attacks
- Learn how you improve your incident response capabilities
Infections cost organizations billions of dollars in lost time and productivity, as well as ransom payments and other indirect costs, like damage to a business’s reputation.
End-users will learn about password management, multi-factor authentication and how to secure their laptops and desktops while working remotely.
This session will teach professionals how to avoid becoming a statistic.
Agenda: Foundations of security awareness | Common threats | Three ways to secure your work environment | Best practices for users | The work from home checklist
Playbooks define the procedures for security event investigation and response. Phishing - Template allows you to perform a series of tasks designed to handle spear phishing emails on your network.
Employee Awareness in Cyber Security - KloudlearnKloudLearn
The goal of employee awareness in cybersecurity is to make employees aware of the procedures, policies, guidelines, and practices for configuring, managing, and executing cybersecurity in the organization.
Different Methodology To Recon Your TargetsEslamAkl
"Different methodology to Recon your targets" is a technical session which presented at CAT Reloaded CyberSecurity circle.
Eslam Akl
Penetration tester
How to Build Your Own Physical Pentesting Go-bagBeau Bullock
Whenever an attacker decides to attempt to compromise an organization they have a few options. They can try to send phishing emails, attempt to break in through an externally facing system, or if those two fail, an attacker may have to resort to attacks that require physical access. Having the right tools in the toolkit can determine whether a physical attacker is successful or not. In this talk we will discuss a number of different physical devices that should be in every physical pentester’s go-bag.
Stealing credentials from a locked computer, getting command and control access out of a network, installing your own unauthorized devices, and cloning access badges are some of the topics we will highlight. We will demo these devices from our own personal go-bags live. Specific use cases for each of the various devices will be discussed including build lists for some custom hardware devices.
Butterfly: Corporate Spies out for Financial GainSymantec
Butterfly is a group of highly capable, professional attackers who perform corporate espionage with a laser-like focus on operational security. The team is a major threat to organizations that have large volumes of proprietary intellectual property, all of which is at risk of being stolen by this group for monetary gain.
The Butterfly attackers, who Symantec believes are a small number of technically capable individuals, compromised several major technology companies including Twitter, Facebook, Apple and Microsoft in early 2013. In these campaigns, the attackers used a Java zero-day exploit to drop malware onto victims’ computers.
Since those attacks, there has been little-to-no public information about the Butterfly attackers. Symantec has been working with victims to track these attackers over the past two years. We found that Butterfly compromised multiple pharmaceutical companies, technology firms, law practices, and oil and precious metal mining organizations during this period. The attackers are versatile and spread their threats quickly within compromised organizations.
They may also have had access to at least one other zero-day exploit, affecting Internet Explorer 10. There are some indications that this group may be made up of native English speakers, are familiar with Western culture, and may operate from an Eastern Standard Time (EST) time zone.
Protecting the Oil and Gas Industry from Email ThreatsOPSWAT
Due to the high value of its supply chain, commodities, transactions, and intellectual property, the oil and gas industry is an ideal target for socially-engineered email attacks. Oil producers, brokers, and transporters must learn how to use preventative measures to mitigate the risks of falling prey to a spear phishing attack.
Application security meetup data privacy_27052021lior mazor
"Application Security Meetup - Data Privacy", hear about Data Protection and Privacy in Modern times, recent Cyber Fraud attacks and data theft, and practical methods of implementing Data Protection in the process development life cycle.
What a dramatic cyber soap opera we've witnessed with the Alpha ransomware group, also known by their edgy alias, BlackCat. It's like a game of digital whack-a-mole, with the FBI and friends swinging the mallet of justice and the ransomware rascals popping up with a cheeky "unseized" banner as if they're playing a high-stakes game of capture the flag.
The FBI's initial victory lap was cut short when AlphV's site reemerged, now mysteriously devoid of any incriminating victim lists.
Will the FBI finally pin the cyber tail on the Black Cat, or will these digital desperados slip away once more? Stay tuned for the next episode of "Feds vs. Felons: The Cyber Chronicles."
-------
This document presents a analysis of the Alpha ransomware site, associated with the ransomware group also known as BlackCat. The analysis covers the ransomware technical details, including its encryption mechanisms, initial access vectors, lateral movement techniques, and data exfiltration methods.
The insights gained from this analysis are important for cybersecurity practitioners, IT professionals, and policymakers. Understanding the intricacies of AlphV/BlackCat ransomware enables the development of more effective defense mechanisms, enhances incident response strategies.
Data is big, data is valuable and data is trouble. In 2014, the Breach Level Index recorded that over one billion records had been breached, an increase of 78% over 2013. And 2015 is seeing similar levels – the first 2 quarters of the year each seeing a loss of almost 340 million records.
By United Security Providers
Palestra do evento "Cybersecurity: a nova era em resposta a incidentes e auditoria de dados"
Sam Maccherola - VP and General Manager Public Sector Guidance Software Inc.
Brasília, 04 de agosto de 2010
Companies are struggling to deal with the unstoppable growth of cyber-attacks as hackers get faster, sneakier and more creative. The bad news is - no company is immune, no matter how big or small you are. Without a proper understanding of zero-day threats, companies have no way of exposing the gaps of overhyped security solutions.
Zero-day exploit leaves NO opportunity for detection. This presentation will highlight critical insights combating zero-day threats.
What Makes Web Applications Desirable For HackersJaime Manteiga
For years’ unethical hackers have preferred Web Applications as the favorite pattern of attack. In this webinar, we will take a look inside the mind of an attacker — including uncovering their motivation and hacking techniques. Web Applications become compromised all the time; additionally, organizations seem to be repeating mistakes when it comes to application security. This webinar will serve as a baseline to establish appropriate web information security controls and mitigation strategies by thinking like an unethical hacker.
https://www.venkon.us/
The Team Member and Guest Experience - Lead and Take Care of your restaurant team. They are the people closest to and delivering Hospitality to your paying Guests!
Make the call, and we can assist you.
408-784-7371
Foodservice Consulting + Design
Senior Project and Engineering Leader Jim Smith.pdfJim Smith
I am a Project and Engineering Leader with extensive experience as a Business Operations Leader, Technical Project Manager, Engineering Manager and Operations Experience for Domestic and International companies such as Electrolux, Carrier, and Deutz. I have developed new products using Stage Gate development/MS Project/JIRA, for the pro-duction of Medical Equipment, Large Commercial Refrigeration Systems, Appliances, HVAC, and Diesel engines.
My experience includes:
Managed customized engineered refrigeration system projects with high voltage power panels from quote to ship, coordinating actions between electrical engineering, mechanical design and application engineering, purchasing, production, test, quality assurance and field installation. Managed projects $25k to $1M per project; 4-8 per month. (Hussmann refrigeration)
Successfully developed the $15-20M yearly corporate capital strategy for manufacturing, with the Executive Team and key stakeholders. Created project scope and specifications, business case, ROI, managed project plans with key personnel for nine consumer product manufacturing and distribution sites; to support the company’s strategic sales plan.
Over 15 years of experience managing and developing cost improvement projects with key Stakeholders, site Manufacturing Engineers, Mechanical Engineers, Maintenance, and facility support personnel to optimize pro-duction operations, safety, EHS, and new product development. (BioLab, Deutz, Caire)
Experience working as a Technical Manager developing new products with chemical engineers and packaging engineers to enhance and reduce the cost of retail products. I have led the activities of multiple engineering groups with diverse backgrounds.
Great experience managing the product development of products which utilize complex electrical controls, high voltage power panels, product testing, and commissioning.
Created project scope, business case, ROI for multiple capital projects to support electrotechnical assembly and CPG goods. Identified project cost, risk, success criteria, and performed equipment qualifications. (Carrier, Electrolux, Biolab, Price, Hussmann)
Created detailed projects plans using MS Project, Gant charts in excel, and updated new product development in Jira for stakeholders and project team members including critical path.
Great knowledge of ISO9001, NFPA, OSHA regulations.
User level knowledge of MRP/SAP, MS Project, Powerpoint, Visio, Mastercontrol, JIRA, Power BI and Tableau.
I appreciate your consideration, and look forward to discussing this role with you, and how I can lead your company’s growth and profitability. I can be contacted via LinkedIn via phone or E Mail.
Jim Smith
678-993-7195
jimsmith30024@gmail.com
Artificial intelligence (AI) offers new opportunities to radically reinvent the way we do business. This study explores how CEOs and top decision makers around the world are responding to the transformative potential of AI.
The case study discusses the potential of drone delivery and the challenges that need to be addressed before it becomes widespread.
Key takeaways:
Drone delivery is in its early stages: Amazon's trial in the UK demonstrates the potential for faster deliveries, but it's still limited by regulations and technology.
Regulations are a major hurdle: Safety concerns around drone collisions with airplanes and people have led to restrictions on flight height and location.
Other challenges exist: Who will use drone delivery the most? Is it cost-effective compared to traditional delivery trucks?
Discussion questions:
Managerial challenges: Integrating drones requires planning for new infrastructure, training staff, and navigating regulations. There are also marketing and recruitment considerations specific to this technology.
External forces vary by country: Regulations, consumer acceptance, and infrastructure all differ between countries.
Demographics matter: Younger generations might be more receptive to drone delivery, while older populations might have concerns.
Stakeholders for Amazon: Customers, regulators, aviation authorities, and competitors are all stakeholders. Regulators likely hold the greatest influence as they determine the feasibility of drone delivery.
Oprah Winfrey: A Leader in Media, Philanthropy, and Empowerment | CIO Women M...CIOWomenMagazine
This person is none other than Oprah Winfrey, a highly influential figure whose impact extends beyond television. This article will delve into the remarkable life and lasting legacy of Oprah. Her story serves as a reminder of the importance of perseverance, compassion, and firm determination.
2. Hackers are not all the same; they range in skill, resources, and capability and often go by different
names. How would you classify this threat actor? Do they go by any aliases?Where are they from?
How would you rate the skill level and resources available to this threat actor?
OilRig is an Iranian government backed group that is classified as anAdvanced Persistent Threat (APT)
mainly because of their numerous attacks with varying degrees of success. They are also known by different
names such Cobalt Gypsy, IRN2, Helix Kitten, Twisted Kitten andAPT34.
In a Forbes report, the Counter Threat Unit of the cyber intelligence firm SecureWorks is certain that
OilRig is working for the Iranian government while the Israeli IT firm ClearSky traced the group back to
Iran. Most of their operations are within Middle East but they also had success outside the region and while
most Iranian threat actors target government agencies and dissidents, OilRig focuses on private industries
outside of Iran.
Since OilRig is working with/for (Islamic Republic of) Iran, they are sure to have enough resource to
conduct any operation that is expected to be beneficial for Iran. Like the Mabna Institute case, where an
Iranian organization (Mabna Institute) was subcontracted by the Islamic Revolutionary Guard Corps to
conduct a massive spear phishing campaign that resulted to a total stolen value of $3.4 billion worth of
Intellectual Property (IP) and 31.5 terabytes of academic data.
2
3. Hackers are motivated to act for specific reasons. What are the motivations of your threat actor?
What is the specific geo-political context they are operating in and what insight does that give
you for why they are operating in this manner?
3
According to Council on Foreign Relations, OilRig targets private-sector and government entities for the
purpose of espionage. Merriam-Webster defines Espionage as the practice of spying or using spies to
obtain information about the plans and activities especially of a foreign government or a competing
company. The Cambridge Business English Dictionary define it as the activity of secretly collecting and
reporting information, especially secret political, military, business, or industrial information.
In a geo-political context, Iran has always disagreed with their neighbors in the region and Western
countries because of many reasons and according to the Middle East Institute (MEI) “because of the
Iranian Revolution of 1979, many countries stopped business with Iran and so stealing academic and
corporate information from around the globe allows it to renew infrastructure and build technologies that
it simply cannot purchase abroad, ranging from weaponry to airplane parts.”
Iran’s effort to tell their side of the story on issues is also not that popular and because Iran is suffering
from economic sanctions imposed on them, they rely on what described by many as “soft war” (less
regulated and low-level conflict for extended periods of time) in the cyber space with public and private
sectors in rival countries as their target.
MEI also assessed that Iran-linked actors are likely to focus on two cyber operations in the medium and
long term:
foreign election meddling and widespread theft of intellectual property (IP).
4. Sample Cases of OilRig attacks:The Hacking Process tactics on their targets and the Primary,
Secondary and Second Order Effects
4
Case 1 - OilRig attack usingAI Squared software
Case 2 - OilRig attack impersonating Oxford University
Case 3 - OilRig attack onAl Elm and Samba Financial Group
Case 4 - OilRig attack on Job Hunters
Case 5 - OilRig attack on Israeli IT vendors
5. Case 1 - OilRig attack usingAI Squared software
5
Asmall, mission-driven tech firmAI Squared based in Vermont developed a software that alters
websites to help the visually impaired use the internet.
Forbes reported that,AI Squared received a warning from security giant Symantec that certificates
for technology that are designed to guarantee its authenticity had been compromised, suggesting that
a threat actor (OilRig) got hold ofAI Squared’s signing key and certificates which they used to
disguise their own malware.
The goal was to make use of the software for the visually impaired as their surveillance tool and
make it appear legitimate to security systems of their many targets across the Middle East, Europe
and the U.S.
As a result, on anAI Squared website notification in 2017 says that their certificate has been revoked
because the digital certificate used to certify newer ZoomText, and Window-Eyes software products
has been compromised.
6. Case 1 - OilRig attack usingAI Squared software
6
Reconnaissance - The group has a wide range of target on
the Middle East, Europe, and the US and OilRig thought
that AI Squared tech firm has the software to help them
reach their victims with ease.
Weaponization - OilRig is assumed to already have control
over AI Squared’s signing key and certificate and used the
legitimate software as their own malware.
Delivery - Because of human compassion on assisting
visually impaired to access the internet, most have
considered to use the (already compromised) software by
AI Squared.
Exploitation and Installation - People are bound to install
and use the software on their computers to see if it is
effective.
Command & Control - The victims who use the software
(malware) are unknowingly feeding information to the
OilRig group which can then help them gain access to
bigger networks.
Primary Effect - Exploitation of End Host
• OilRig has infected a software for the visually
impaired with their malware for surveillance purposes
Secondary Effects on Revenue, Reputation and
Macroeconomics
• Revenue - Since the software is infected with
OilRig's surveillance malware purchase would
now be lower than expected
• Reputation - Customers would then find a different
software that offers the same kind of service
• Macroeconomics - Because of the software getting
infected,
there could be change of personnel who work on the
software
Second Order Effect on Information / Perception
• Everybody who already has access to the software
might think that the company is a front for spying
purposes
7. Case 2 - OilRig attack impersonating Oxford University
7
ClearSky reports that the OilRig group has created and registered two (2) fake Oxford
University pages in November 2016, one claims to offer a job inside the institution, and the
other is a conference sign-up website.
Both pages encouraged the visitors to download files. One file is a requirement to complete
a registration for the fake event and the other file is an Oxford University CV creator. Once
clicked, victims are unknowingly feeding information to the OilRig’s malware, named
Helminth, allowing them to control the PC and steal data.
8. Case 2 - OilRig attack impersonating Oxford University
8
Reconnaissance - OilRig is interested in hitting many
targets at one operation and so they created fake Oxford
University websites for their plan
Weaponization - OilRig created 2 fake Oxford University
websites; one claiming to offer jobs and the other is a
registration site for a conference.
Delivery - People who are interested in working for
or attending a conference hosted by Oxford are sure to
follow the bogus page requirements
Exploitation and Installation - The victims, once on the fake
website/s are encouraged to fill-up what seem to be a normal
registration form and download files that are infected by
OilRig’s surveillance malware.
Command & Control - Because people have registered and
downloaded files from the fake websites, OilRig now have
collected their victim’s basic information and gained access
to the computers infected with Helminth malware.
Primary Effect - Exploitation of End Host
• OilRig thought of collecting personal information
through
the fake Oxford Website they created.
Secondary Effect on Reputation
• Reputation - Oxford University's reputation is sure to
be affected because their name and identifiers are
used in the fake website
Second Order Effect on Information / Perception
• It is an unfortunate event but everybody who sent
personal information and registered in the fake
Oxford websites would now pick different
universities to be associated with.
9. Case 3 - OilRig attack onAl Elm and Samba Financial Group
9
According to a Forbes report on 2017, phishing attempts were launched by the group on May 2016
from servers within SaudiArabian contractor and IT securityAl-Elm.
The email was injected into a thread between Al-Elm and one of SaudiArabia’s lender, Samba Financial Group. The
email contained a version of OilRig’s Helminth surveillance kit, which would launch as soon as a recipient opened an
attached document, in this case an Excel file called “notes.xls.”
In the case ofAl-Elm, analysis of the headers of the phishing emails indicated they originated from within the sender’s
organization and "the threat actor previously compromised those organizations," according to SecureWorks intelligence
analyst Allison Wikoff
10. Case 3 - OilRig attack onAl Elm and Samba Financial Group
10
Reconnaissance - The target here is the Samba Financial
Group which has reported $290 million profit from last
quarter of the previous year
Weaponization - The OilRig group chose to use the
“previously compromised” network ofAl-Elm to
establish a connection with Samba Financial Group
Delivery - An email with the OilRig’s Helminth
surveillance kit was injected into a thread of email between
Al-Elm and Samba Financial Group
Exploitation and Installation - Once the email has been
sent, people who open the attached excel file named
“notes.xls” will have their computer infected with the
Helminth surveillance kit.
Command & Control - Everything might seem normal after
opening the email but once the surveillance kit has been
installed, OilRig has now gained access to that computer and
possibly the company’s network.
Primary Effect - Exploitation of End Host
• Through phishing attempts, OilRig has sent an email
with Helminth surveillance kit toAl-Elm Security and
Samba Financial Group
Secondary Effects on Remediation / Reputation
• Remediation - The infected devices from both ends
would now be scanned, cleaned and possibly replaced
depending on how much it got affected
• Reputation - The reputation of the IT security firm is to
be affected because they are supposed prevent threat
actors from getting in between them and their clients
Second Order Effect on Information / Perception
• Because of the phishing emails sent, both
companies would now be very cautious in doing
future business partnership.
11. Case 4 - OilRig attack on Job Hunters
11
From the same report from previous case, cyber intelligence firm SecureWorks who calls the OilRig crew Cobalt Gypsy
said that the group has been sending out messages loaded with malware from legitimate email addresses belonging to one
of SaudiArabia's biggest IT suppliers, the National Technology Group, and an Egyptian IT services firm, ITWorx.
From those email accounts, an unnamed Middle East entity was targeted with messages promising links to job offers.
Hidden in the attachments was PupyRAT, an open-source remote access trojan (RAT) that works acrossAndroid, Linux
and Windows platforms.
12. Case 4 - OilRig attack on Job Hunters
12
Reconnaissance - The OilRig’s target is an unnamed
entity but they chose to launch the attack on the Middle
East
Weaponization - OilRig group chose to use Saudi Arabia’s
IT supplier, National Technology Group and Egypt’s IT
service firm ITWorx to send an email loaded with malware.
Delivery - OilRig used email addresses belonging to the
IT firms to send enticing job offer to their victims.
Exploitation and Installation – When receivers open the
email, hidden in the email link attachments was an open-
source remote access trojan.
Command & Control - Once the link has been accessed, the
malware would then begin the process of collecting
credentials from the user and the computer.
Primary Effect - Exploitation of End Host
• OilRig has sent emails from legitimate IT firms to
various targets with links to job offers which is
infected with an open-source remote access trojan
Secondary Effect on Reputation
• Reputation - The job offers might be legitimate, but
the job hunters would now think twice on joining the
IT firms because they would trace the source of the
PupyRAT to their devices from links inside the email.
Second Order Effect on Information / Perception
• The firms might get the reputation of spying on
their current and future employees and customers.
13. Case 5 - OilRig attack on Israeli IT vendors
According to the ClearSky research team, OilRig has sent emails to several targeted Israeli IT
Vendors using a compromised account. It is a basic email requesting help with details of the supposed
customer and when logging in with the credentials the victim is asked to install a legitimate Juniper
VPN software bundled with Helminth; a malware commonly used by the group for surveillance
purposes.
13
14. Case 5 - OilRig attack on Israeli IT vendors
Reconnaissance - The OilRig’s target is Israel and they
think that attacking IT vendors could help them infiltrate
important networks
Weaponization - It is assumed that OilRig already has
access to compromised customer accounts from various
Israeli IT vendors.
Delivery - The group sends an email to the vendors
disguising themselves as legitimate customers asking for
help.
Exploitation and Installation - When the victims try to
access the user’s account with their provided credentials, the
victim is then asked to download a Juniper VPN to proceed.
The legitimate Juniper VPN they provide is bundled with
their surveillance malware Helminth.
Command & Control - When successfully installed,
OilRig would then have access to the device and many
other client/customer emails that use their services.
Primary Effect - Exploitation of End Host
OilRig would be interested in infiltrating Israeli
networks, and so they disguised themselves as
customers who need assistance
Secondary Effect on Remediation
Remediation - Because it is their job to keep
customers satisfied, some employees of the firms
might have followed the threat actor's instructions.
As a result, firms may have to check, clean and/or
replace their devices
Second Order Effect on Information / Perception
Because the malware Helminth is attached to a
legitimate Juniper VPN, people who use the VPN
might be worried that their devices are infected with
the surveillance malware too.
14
15. Not all hackers represent a strategic problem for policy makers. How would you
characterize your threat actor, are they chiefly a private problem for businesses or a
public concern for policy makers? How should policy makers respond?
15
OilRig is clearly anAdvanced Persistent Threat (APT) because of the range of their targets. Their main activity is
espionage, they do not engage in destroying, wiping, or altering whatever they get an access to, but instead they just sit
back and relax while their Helminth malware does its job. Most of their espionage activities have resulted in stolen
information using compromised email.
OilRig is interested in targeting private industries and their tactics are very subtle, mostly through phishing. They are a
clear threat to businesses but because these companies have connections with private citizens, public and other types of
institutions, one email could be their way into a government office or a corporate giant, making them both a private
problem and a public concern for policy makers. Since OilRig has been identified as a threat actor from Iran, imposing
more economic sanctions would be the appropriate response. One country could only do so much to try and get Iran to
pay for any harm done through cyber espionage. It is possible but might be a really long process and when any secrets are
compromised, it could never be replaced.
Policy makers could also make a collective effort to punish and discourage threat actors through treaties, it could be with
Iran if they accept or with countries that also have an issue with threat actors from Iran. If a group of countries want to
make a different version of the Iran Nuclear Deal in the future, it should not include any monetary incentives but instead,
there should be clear punishments for any cyber related activities like espionage coming from any group that could be
traced back or is sponsored by Iran.