Hacking group turns Microsoft Office flaw into an exploit in less than a week
Less than one week after Microsoft publicly acknowledged a remote code execution vulnerability in Microsoft Office, Iranian hackers targeted the weakness via phishing emails sent to various Middle Eastern government agencies last month, according to research produced Thursday by U.S. cybersecurity firm FireEye.
According to FireEye, the targets indicate that the group is likely linked to the Iranian government. There were multiple attempts to breach financial, energy and government enterprises located in geographic rivals of Iran, such as Saudi Arabia and Israel. This particular cyber espionage group, titled APT34 by FireEye, is also known as “OilRig” to other security researchers.
https://twitter.com/FireEye/status/939214584405250050
APT34 has been especially active since mid-2016, based on publicly available research from FireEye and Kaspersky Lab.
“We believe APT34 is involved in a long-term cyber-espionage operation largely focused on reconnaissance efforts to benefit Iranian nation-state interests and has been operational since at least 2014,” a FireEye blog post reads. “We assess that APT34 works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.”
APT34 relies on a mix of open-source, custom and commercial penetration tools to break into targeted organizations, researchers say. The latest phishing campaign used a custom PowerShell backdoor to exploit an outdated, embedded feature Microsoft Office feature known as “Equation Editor.”
During the summer of 2016, APT34 attempted to breach a cohort of different energy organizations all based in the Middle East. During this same time frame, APT34 heavily targeted Saudi Arabian financial institutions. Those operations overlapped with other efforts to spearphish energy, chemical and telecommunications businesses throughout the region.
FireEye’s determination that APT34 is linked to Iranian-based actors was made with “moderate confidence” — a designation defined by analysts in order to qualify the evidence they’ve accumulated.