An Iranian hacker group known as OilRig hijacked legitimate websites in order to target Israeli organizations, including a healthcare organization, in two separate cyberattack campaigns in 2021 and 2022, the Slovak ESET cybersecurity company reported last week.
The two cyberattack campaigns were labeled “Outer Space” and “Juicy Mix” by ESET. The two campaigns collected browsing history, cookies, and usernames and passwords stored on targeted devices.
The Outer Space campaign, launched in 2021, was conducted after OilRig compromised an Israeli human resources site. The hacker group used the site as a server to extract information from targeted devices.
In the Outer Space campaign, OilRig used a new “backdoor” tool to infiltrate targeted devices called Solar. The malicious software was likely distributed to targets through phishing emails, according to ESET.
After the backdoor was installed on the targeted devices, the hackers were able to download and exfiltrate files from the victims. The tool included a function to create a folder to automatically steal files from. ESET noted that the hackers likely used an additional, as of yet unidentified tool, to collect specific files into the folder.
In the JuicyMix campaign, launched in 2022, OilRig used a different, but similar backdoor to infiltrate into targeted devices.
The hackers compromised a legitimate Israeli job portal website to use as a server to extract information from targeted devices in the JuicyMix campaign. The JuicyMix campaign targeted an Israeli healthcare organization, according to ESET.
The JuicyMix campaign included tools allowing the hackers to steal data from the Google Chrome and Microsoft Edge browsers, as well as data from Windows Credential Manager, which stores usernames and passwords.
The JuicyMix campaign also included a tool which would allow OilRig to hide their attack from cybersecurity products by blocking some of the detection mechanisms used by such products, although the tool was not activated in the sample of the cyberattack examined by ESET.
In July 2023, ESET found a new version of the backdoor tool used in the JuicyMix campaign online. The new version had been uploaded to a cybersecurity website called VirusTotal by several users under the name Menorah.exe.
ESET has notified Israel’s Cyber Emergency Response Team (CERT) about the two cyberattack campaigns.
The collection of hackers called OilRig is also known as APT34, Lyceum, Siamesekitten, Helix Kitten, and Twisted Kitten.
Other recent attacks by OilRig
In September 2022, Albania announced that it was targeted by two cyberattacks carried out by Iranian hacker groups which had previously targeted Israel, Saudi Arabia, UAE, Jordan, Kuwait and Cyprus.
The Mandiant cybersecurity company noted at the time that a tool called ZEROCLEARE which corrupts file systems may have been used in the attack.
According to a report by IBM’s X-Force IRIS, ZEROCLEARE has been used in a destructive cyberattack in the Middle East in the past. X-Force IRIS estimated that an Iranian group known as the ITG13 threat group or APT34/OilRig and at least one other group likely based out of Iran collaborated on that attack.
A report by Microsoft also found that OilRig, which they now refer to as Hazel Sandstorm, was likely involved in gaining initial access and exfiltrating data in the attacks on Albania.