Turla APT Hijacks OilRig Infrastructure

Delaware, USA – June 24, 2019 – One of the most notorious APT groups secretly used OilRig (aka APT34 or Crambus) infrastructure to attack the government entity in a Middle Eastern country. This is a rare, but not unique, case in which one of the cyber espionage groups hacks the servers of another group in order to obtain information about their tools or activities. Researchers from Symantec suppose that when trying to penetrate the network of the target organization, the hackers from Turla group found that their target was already compromised by the Iranian APT group. In order not to attract additional attention, Turla hacked the command-and-control servers of OilRig and used hijacked infrastructure to install their own malware. The adversaries installed their own development on multiple already infected systems: a task scheduler named msfgi.exe, LightNeuron backdoor for Microsoft Exchange email servers, as well as a modified version of Mimikatz tool, which was used in other attacks of Turla APT. The investigation showed that both groups conducted espionage activities in parallel for a long time after the incident.

Earlier this year, unknown hackers published the source code of several OilRig tools in Telegram channel, as well as dumps of the stolen data and victim lists. Perhaps this is also the work of Turla APT. You can study the techniques of known APT groups in Threat Detection Marketplace in MITRE ATT&CK section: https://tdm.socprime.com/att-ck/

Also, you can use APT Framework rule pack that adds sophistication to your existing tools by leveraging the Cyber kill chain to connect the dots between low-level SIEM incidents and link them to high-confidence compromises: https://my.socprime.com/en/integrations/apt-framework-arcsight