New York Times, MAY 15, 2017 - For 18 days last month, a team of computer security experts found themselves engaged in a digital version of hand-to-hand combat with a group of hackers determined to break into the network of a military contractor.
Every time the hackers, believed to be Iranian, gained a toehold in one server, the defenders shut down their access. A few days later, the hackers would come in through another digital door, and again the defenders would block them.
While dueling with the hackers, the security experts said they encountered something that they had never seen before when dealing with an Iranian cyberattack: a Russian connection.
Specifically, they found that the Iranians were using a tool set developed by a known Russian hacker-for-hire and sold in underground Russian forums. The tool had popped up in connection with an attack in Ukraine in 2015, when Russian hackers successfully shut down parts of Ukraine’s power grid.
“This is the very first time we’ve cataloged an attack where Iranian hackers are working with Russian hackers-for-hire,” Carl Wright, an executive at TrapX, the Silicon Valley security firm that interdicted the hackers last month, said in an interview last week.
TrapX says it cannot name the victim of the attack, the details of which have not been reported until now, because of confidentiality agreements.
But the intrusion represented a “historic” partnership between Iran’s hackers and Russians who are auctioning their skills and tools to the highest bidder, said Tom Kellermann, a computer security expert who previously served as the chief cybersecurity officer at Trend Micro, the Tokyo-based security giant, and was a member of a commission advising the Obama administration on online security.
“Iranian hackers have dramatically increased their cyberweaponry and tactical proficiency as a result,” Mr. Kellermann said.
Security experts outside TrapX said that it was possible that the attackers had faked the Internet Protocol address in the attack, and that Iran’s hackers had simply grabbed the Russian hacking tool off the web and customized it for their attack.
Still, TrapX researchers said that several web domains used in the attack had been registered to a Russian alias, and that three email addresses continue to be used by a hacker in Russian hacking forums and in the underground web.
The security experts had become very familiar with the Iranian hackers, who had gotten the nickname “OilRig” because they first emerged in hackings on oil companies in Saudi Arabia and later Israel. The hackers had been moving west, targeting a growing array of military, financial and energy companies in Europe and, more recently, the United States.
TrapX Security’s offices in San Mateo, Calif.
Security experts said the Iran’s OilRig hackers had become easy to spot over the course of hundreds of attacks on contractors, energy companies and government agencies.
By most accounts, these hackers could best be described as the “B Team,” not nearly as sophisticated as the Chinese, Russian or Eastern European hackers whom security firms have been monitoring for more than a decade. But what OilRig’s hackers lacked in sophistication, they made up for in determination. They did their research. They were patient. When they were caught, they would wait for the dust to settle before trying again.
Researchers at TrapX came across the Russian tool set in the course of what Mr. Wright described as a running battle with the Iranian hackers last month.
More than 70 percent of the code used in the attack was identical to the code OilRig had used in hundreds of previous assaults on organizations. The targets ranged from oil companies in Saudi Arabia and Qatar, to government agencies and companies in Turkey, Europe and the United States, including a small tech firm in rural Vermont called AI Squared that helps websites serve people with visual impairments.
But in the final stage of the attack, TrapX’s defenders saw a big shift in the hackers’ methods, tools and techniques. “It was a departure from anything they’ve done in over 200 documented attacks,” said Moshe Ben-Simon, vice president of TrapX Labs, the company’s research arm, said in an interview.
At one point, the defenders watched as the attackers got close to the part of their clients’ network where the most valuable intellectual property was housed. It was in this final stage that the hackers downloaded two new sets of tools. The first was a basic hacker’s kit that could do things like steal usernames and passwords.
The second tool had never popped up in an OilRig attack before. It was wrapped in encryption and had been designed to evade the techniques investigators use to figure out how a hacking tool works. It took weeks to crack the tool and extract information, Mr. Ben-Simon said.
The security researchers found OilRig code used in previous attacks, combined with a type of malware called BlackEnergy that was used in an assortment of attacks, including the 2015 effort by Russian hackers that took out parts of Ukraine’s power grid. They also found that the hacking tool was conveying information from the victims’ systems to a server that had also popped up in the Ukraine power grid attack.
Mr. Wright said evidence also indicated that the hacker was renting out services on the underground web.
In the end, TrapX’s researchers were able to bait the attackers with a web server containing fake data aimed at tricking them into divulging their tactics, and hopefully frustrating them into giving up.
It worked. OilRig’s hackers injected their malware into the server, which TrapX then analyzed and used to shut the hackers out of their clients’ systems.
Mr. Wright said TrapX was willing to discuss the hack because it was the first time researchers had been able to catch OilRig hackers in the act, and record how they moved through a victim’s system.
“It was like having your camera rolling right at the right moment during a robbery on the street,” he said.