For nearly a month, an unknown party has been leaking key tools used by the hacker group APT34, or OilRig, onto the internet, along with the personal information of some of the group’s top management. Is it a “disgruntled insider,” or is this another Shadow Brokers-type attack, like the US National Security Agency experienced in 2016?
In August 2016, an entity calling itself the Shadow Brokers stole some of the NSA’s best hacking tools and sold them on the internet. Now, however, the hacking group OilRig, a group long purported to be part of the Iranian Ministry of Intelligence, is under attack, but this time the hackers are dumping folks’ identities, too — and they’re doing it for free.
«We are exposing here the cyber tools (APT34 / OILRIG) that the ruthless Iranian Ministry of Intelligence has been using against Iran’s neighboring countries, including names of the cruel managers, and information about the activities and the goals of these cyber-attacks,» reads a message posted to the Telegram channel Read My Lips by the hackers on March 25. «We hope that other Iranian citizens will act for exposing this regime’s real ugly face!»
Wired notes the channel is also called Dookhtegan — the Persian word for «sewn lips» — and that the group has continued to publish more information on the channel ever since.
Chronicle, Alphabet’s cybersecurity spin-off company started last year, said the hackers dumped the source code of six of OilRig’s most notorious hacking tools. Their names are Glimpse, PoisonFrog, HyperShell, HighShell, Fox Panel and Webmask.
The leakers also claim to have wiped the contents of some of OilRig’s servers, leaving behind the following message:
«We are Lab_dookhtegan. We destroyed this server and we will destroy you! We are exposing the cyber tools that the Iranian Ministry of Intelligence has been using for spying on Iran’s neighboring countries to promote its vicious goals, including names of the managers, and information about the activities and the goals of these cyber-attacks.»
The leakers have also posted names, photos and contact details of alleged OilRig members, but Wired reported their identities couldn’t be clearly connected to hacker group.
«It looks like either a disgruntled insider is leaking tools from APT34 operators, or it’s a Shadow Brokers-esque sort of entity interested in disrupting operations for this particular group,» Brandon Levene, head of applied intelligence at Chronicle, told Wired for a Thursday story. «They do seem to have something out for these guys. They’re naming and shaming, not just dropping tools.»
ZDNet reported the leaked data reveals a catalogue of 66 victims of OilRig, mainly from countries in the Middle East, but also Africa, East Asia and Europe.
Wired also noted that a «DNSpionage» malware tool was included in the leak, a kind of cyberattack in which hackers snoop on communications by pretending to be the receiving party. Cybersecurity firm FireEye reported in January that the perpetrators of a series of previous DNSpionage attacks «have a nexus to Iran.» However, as Sputnik reported, FireEye’s claims should be taken with a «Dead Sea’s worth of salt,» as the company was founded with CIA money and maintains a «strategic partnership» with the US spy agency.
The stolen data mostly includes username and password combos that appear to have been collected through phishing pages — that’s the same kind of information Crowdstrike, another cybersecurity firm with close ties to the US intelligence community, reported had been stolen in DNSpionage attacks in the Middle East earlier this year, Sputnik reported.
DZNet also advised caution at drawing the connection to Iran, noting their publication had been contacted via Twitter direct message last month by a user purporting to have worked on OilRig’s DNSpionage campaign.
The user offered up some of the same files that appeared on the Read My Lips Telegram server, «and we believe that this Twitter user is the Telegram Lab Dookhtegan persona,» the publication wrote.
«This should be taken with a grain of salt, as the leaker could very well be a member of a foreign intelligence agency trying to hide their real identity while giving more credence to the authenticity of Iran’s hacking tools and operations,» ZDNet wrote, noting that they’d learned the same Twitter persona «also contacted tens of other reporters and infosec researchers with the same message, in an attempt to promote the leak.»
«It’s likely this group will alter their toolset in order to maintain operational status,» Levene told ZDNet last week, noting the tools aren’t nearly as sophisticated or valuable as those stolen from the NSA three years ago. «There may be some copycat activity derived from the leaked tools, but it is unlikely to see widespread use.»