During the annual Cyber Security Weekend 2023 for the Middle East, Turkiye, and Africa which was recently held in Almaty, Kazakhstan Kaspersky researchers announced the discovery of a series of attacks by a new malware supposedly developed by the infamous OilRig Advanced Persistent Threat (APT) group that has been active in the Middle East and Turkiye for over a decade. The group is known for targeting high-profile government entities across the Middle East, Turkiye, and Africa for cyberespionage purposes.

The OilRig APT commonly uses social engineering tactics and exploits software and technical vulnerabilities within its victims. However, Kaspersky experts noticed the group has updated its arsenal, resorting to persistent, stealthier ways of infiltrating their targets through third-party IT companies.

During an ongoing investigation that started in late 2022, Kaspersky experts discovered that the APT group has executed PowerShell scripts to gain access to terminal servers at IT companies in the region to collect credentials and sensitive data about their targets. The group used the stolen information to infiltrate their targets and deploy malware samples that relied on Microsoft Exchange Web Services to perform Command & Control (C2) communications, and steal data. The investigated malware appeared to be a variant of an older malware used by the threat actor.

To ensure persistent stealthy access, the group deployed a new DLL-based password filter, which enabled them to intercept local/domain password changes. This allowed the attackers to receive updated passwords along with other stolen and sensitive data sent from their targets’ email services to attacker-controlled Protonmail and Gmail addresses.

“OilRig has taken the meaning of “stealth mode” to the next level with its complex and heavily modified tactics, techniques, and procedures to exploit third-party IT companies. It is evident from our investigation that third-party attacks are stealthier, and agile and remain undetected in comparison to other tactics, posing a grave risk to the functioning of government entities in this region. The radical shift to infiltrate IT companies that are part of a supply chain is an indication that regional government entities are stepping up their cybersecurity game, driving APT groups to think out of the box” said Maher Yamout, Senior Security Researcher at Kaspersky.

Kaspersky researchers recommend governments and businesses follow the below tips and protect themselves from falling victim to third-party supply chain attacks:

• Invest and build a holistic, well-integrated cybersecurity approach that protects data and assets beyond the parameters of your organization.
• Leveraging Threat Intelligence is key. Using solutions like the Kaspersky Threat Intelligence Portal can equip IT teams with real-time data and insights and provide access to a rich source of expertise to build a strong defense.

• Conduct a penetration test within your organization and don’t leave out your third-party service providers.
• Your cyber defense is as strong as your employees, who are considered the first line of defense. Arm them with the right knowledge through solutions like the Kaspersky Automated Security Awareness Platform that automates cyber-awareness training for companies of any size.
• Back up your data regularly and scan it from time to time to maintain integrity.