Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Iran-Linked Attackers Target Government Organizations

An Iran-linked group previously observed attacking organizations in Saudi Arabia has been improving its malware tools and expanding its target list to include other countries.

An Iran-linked group previously observed attacking organizations in Saudi Arabia has been improving its malware tools and expanding its target list to include other countries.

In May, Palo Alto Networks researchers reported seeing attacks launched by a threat actor against financial institutions and technology companies in Saudi Arabia. The same group also carried out attacks on the Saudi defense industry in the fall of 2015.

The campaign, dubbed by the security firm “OilRig,” has involved weaponized Microsoft Excel spreadsheets tracked as “Clayslide” and a backdoor dubbed “Helminth.” The attacks aimed at banks were also documented by FireEye in May.

Palo Alto Networks has been monitoring the group’s activities and discovered that it has also targeted a company in Qatar and government organizations in the United States, Israel and Turkey.

The threat actor behind OilRig uses spear-phishing emails and malicious macro-enabled Excel documents to deliver Helminth. In the case of a Turkish government organization, the Excel file was designed to mimic a login portal for an airline.

Four variants of the Helminth malware have been identified by experts, including one that uses FireEye’s name. The threat, capable of communicating with its command and control (C&C) server over both HTTP and DNS, can collect information about the infected device and download additional files from a remote server.

There are two types of Helminth: one that relies on VBScript and PowerShell scripts, and one that is distributed as an executable file. The executable version is delivered by a Trojan dubbed “HerHer” and it is also capable of logging keystrokes.

Advertisement. Scroll to continue reading.

Researchers have found several clues that point to an Iran-based actor, although they admit that the data can be easily forged. This includes the use of the Persian language in the malware samples and information associated with the C&C domains.

Palo Alto Networks also discovered an IP address mentioned by Symantec last year in a report describing the activities of two Iran-based threat groups that appear to be linked.

Palo Alto Networks has analyzed the activities of several threat groups believed to be operating out of Iran, including one that relies on a piece of malware dubbed Infy. This summer, the security firm reported that it had managed to disrupt a cyberespionage campaign involving Infy.

Related: Iranian Actor “Group5” Targeting Syrian Opposition

Related: Researchers Hack Infrastructure of Iran-Linked Cyber Spies

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.

Register

Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.

Register

Expert Insights

Related Content

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Cybercrime

On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cyberwarfare

Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this...

Cyberwarfare

The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...