Who is OilRig?
OilRig is a sophisticated cyberespionage group attributed to the government of Iran. The group has been active since 2014.
It spies on and exfiltrates sensitive data from organizations to support Iran’s strategic goals. Their attacks are persistent and methodical.
Common Tactics and Tools
OilRig is known for its evolving TTPs (Tactics, Techniques, and Procedures), but their main method of initial access is spear phishing. They write convincing emails with malicious links or attachments, often infected Microsoft Office files. This way they trick users into giving up access.
Once inside a network, their goal is to maintain long-term access and steal valuable information. They rely on a set of custom-developed malware to achieve this.
- Helminth: A backdoor tool. It gives attackers remote control of an infected computer. They can run commands and steal data.
- ISMAgent: Malware used for spying and stealing data from hacked systems.
- Poison Frog: A tool that creates a backdoor. This gives them lasting access to a victim’s network.
How to Defend Against OilRig
Defense against a patient group like OilRig needs many layers of security.
- Security awareness training: Train employees to spot and report skilled phishing attacks.
- Strict access control: Implement the principle of least privilege and enforce Multi-Factor Authentication (MFA). This limits an attacker’s ability to move laterally.
- Vulnerability patching: Keep all software patched and up to date. Focus on internet-facing systems and common tools like Microsoft Office.
- Network monitoring: Use Network Detection and Response (NDR) to monitor network traffic for unusual activity. This includes data exfiltration or communication with known malicious domains.
