For the last few weeks, someone has been publishing the source code of the hacking tools used by a high-level attack team that’s been linked to the Iranian government. The tools belong to a group known variously as APT34 and OilRig, and whoever is dumping them appears to have some interest in not just exposing the tools but also the group’s operations.
The leaks began in late March on a Telegram channel and have continued through this week. Researchers at Chronicle, a security company owned by Google’s parent company, Alphabet, have examined the leaked tools and confirmed that they are indeed the same ones used by the OilRig attackers. OilRig has been connected to a number of intrusions at companies and government agencies across the Middle East and Asia, including technology firms, telecom companies, and even gaming companies. Whoever is leaking the toolset also has been dumping information about the victims OilRig has targeted, as well as data identifying some of the servers the group uses in its attacks.
The tools that have been leaked so far include several versions of a trojan used by the OilRig team, called BondUpdater, and a webshell. The leaked tools are publicly available on GitHub. Chronicle researchers said that the tools appear to be legitimate and the fact that they’re now public probably will force the attackers to change their arsenal.
“It’s likely this group will alter their toolset in order to maintain operational status. There may be some copycat activity derived from the leaked tools, but it is unlikely to see widespread use,” said Brandon Levene of Chronicle.
Researchers have connected OilRig to the Iranian Ministry of Intelligence and the group has been quite active for several years. The group is known to go after a variety of different targets, and often executes intrusions against organizations in the supply chain of a larger target. OilRig uses a wide range of techniques and tactics in its operations, including simple things such as spear phishing. The group also uses a number of different methods for communication with compromised machines and data exfiltration, including tunneling through DNS.
“OilRig delivered Trojans that use DNS tunneling for command and control in attacks since at least May 2016. Since May 2016, the threat group has introduced new tools using different tunneling protocols to their tool set,” Robert Falcone of Palo Alto Networks’ Unit 42 research team wrote in an analysis of the group’s activities.
“Regardless of the tool, all of the DNS tunneling protocols use DNS queries to resolve specially crafted subdomains to transmit data to the C2 and the answers to these queries to receive data from the C2.”
The leak of the OilRig toolset has echoes of the Shadow Brokers leaks from 2016. That operation targeted the National Security Agency and included extensive leaks of tools used by the agency. Those leaks were not just a black eye for the NSA but also affected the Internet at large thanks to the publication of tools that were later used in the NotPetya and Wannacry attacks. The EternalBlue tool that was part of the Shadow Brokers leaks was used in both of those operations, and has shown up in other attacks, as well.
Though the OilRig leaks are somewhat similar, Chronicle’s Leven said he doesn’t expect to see the same kind of recycling of the OilRig tools.
“The capabilities of the leaked tools are relatively easily reproduced by open source alternatives, it is unlikely we will see heavy reuse,” he said.
CC By-SA license photo by Joiseyshowaa.