In 2021 and 2022 [1] [3], Israeli organizations experienced cyberespionage campaigns conducted by the Iranian nation-state actor known as OilRig or APT34 [1]. These campaigns [1] [2] [3] [4], named Outer Space and Juicy Mix [1] [3], involved the use of previously identified backdoors called Solar and Mango [1]. This article provides a detailed description of these campaigns and their impact on Israeli organizations.
Description
The Outer Space campaign targeted an Israeli human resources site [3], which was then repurposed as a command-and-control server for Solar, a previously undisclosed C#/.NET backdoor [2] [4]. Solar has the capability to download and execute files, as well as gather information. In the Juicy Mix campaign [2] [4], OilRig further enhanced Solar and developed the Mango backdoor, which succeeded Solar and possessed additional capabilities and obfuscation methods. This campaign specifically targeted an Israeli healthcare organization and utilized a compromised Israeli job portal website as a command-and-control server.
OilRig continues to innovate and develop new implants with backdoor-like functionalities [3], while also discovering novel methods for executing commands on remote systems. The group deploys customized post-compromise tools to collect credentials [3], cookies [3], and browsing history from major browsers and the Windows Credential Manager [3]. ESET researchers thoroughly analyzed both the Outer Space (2021) and Juicy Mix (2022) campaigns by OilRig, which specifically targeted Israeli organizations and employed similar tactics. Additionally, ESET took the initiative to inform the Israeli CERT about the compromised websites.
Conclusion
The cyberespionage campaigns conducted by OilRig have had significant impacts on Israeli organizations. The compromise of their websites and the utilization of backdoors like Solar and Mango have allowed the attackers to gain unauthorized access, download files, and gather sensitive information [1]. Mitigating these threats requires organizations to enhance their cybersecurity measures, including regular vulnerability assessments, network monitoring, and employee training on phishing and other social engineering techniques.
Furthermore, the continuous innovation and development of new implants by OilRig highlight the need for ongoing research and collaboration among cybersecurity professionals to stay ahead of evolving threats. Sharing information with relevant authorities, such as the Israeli CERT, is crucial in mitigating the impact of these campaigns and protecting organizations from future attacks.
References
[1] https://cybersec84.wordpress.com/2023/09/23/iranian-threat-actor-oilrig-targets-israeli-organizations/
[2] https://www.welivesecurity.com/en/eset-research/oilrigs-outer-space-juicy-mix-same-ol-rig-new-drill-pipes/
[3] https://thehackernews.com/2023/09/iranian-nation-state-actor-oilrig.html
[4] https://thecyberwire.com/podcasts/daily-podcast/1912/transcript