Connect with us

Hi, what are you looking for?



Iran-Linked Attackers Target Government Organizations

An Iran-linked group previously observed attacking organizations in Saudi Arabia has been improving its malware tools and expanding its target list to include other countries.

An Iran-linked group previously observed attacking organizations in Saudi Arabia has been improving its malware tools and expanding its target list to include other countries.

In May, Palo Alto Networks researchers reported seeing attacks launched by a threat actor against financial institutions and technology companies in Saudi Arabia. The same group also carried out attacks on the Saudi defense industry in the fall of 2015.

The campaign, dubbed by the security firm “OilRig,” has involved weaponized Microsoft Excel spreadsheets tracked as “Clayslide” and a backdoor dubbed “Helminth.” The attacks aimed at banks were also documented by FireEye in May.

Palo Alto Networks has been monitoring the group’s activities and discovered that it has also targeted a company in Qatar and government organizations in the United States, Israel and Turkey.

The threat actor behind OilRig uses spear-phishing emails and malicious macro-enabled Excel documents to deliver Helminth. In the case of a Turkish government organization, the Excel file was designed to mimic a login portal for an airline.

Four variants of the Helminth malware have been identified by experts, including one that uses FireEye’s name. The threat, capable of communicating with its command and control (C&C) server over both HTTP and DNS, can collect information about the infected device and download additional files from a remote server.

There are two types of Helminth: one that relies on VBScript and PowerShell scripts, and one that is distributed as an executable file. The executable version is delivered by a Trojan dubbed “HerHer” and it is also capable of logging keystrokes.

Researchers have found several clues that point to an Iran-based actor, although they admit that the data can be easily forged. This includes the use of the Persian language in the malware samples and information associated with the C&C domains.

Advertisement. Scroll to continue reading.

Palo Alto Networks also discovered an IP address mentioned by Symantec last year in a report describing the activities of two Iran-based threat groups that appear to be linked.

Palo Alto Networks has analyzed the activities of several threat groups believed to be operating out of Iran, including one that relies on a piece of malware dubbed Infy. This summer, the security firm reported that it had managed to disrupt a cyberespionage campaign involving Infy.

Related: Iranian Actor “Group5” Targeting Syrian Opposition

Related: Researchers Hack Infrastructure of Iran-Linked Cyber Spies

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.


Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...