A cyberespionage group with suspected ties to Iran has been concentrating on Kurdish and Iraqi authorities officers in a years-long cyber espionage marketing campaign, based on a brand new report.
Researchers on the Slovakia-based cybersecurity agency ESET attributed the exercise to a menace actor dubbed BladedFeline, believed to be a subgroup of OilRig, a well-documented Iranian state-backed actor energetic since at the least 2014.
In response to ESET, BladedFeline has been working since at the least 2017, initially breaching techniques belonging to the Kurdistan Regional Authorities (KRG). Since then, the hackers have continued to evolve their toolkit and develop their attain, concentrating on each the KRG and the central authorities of Iraq, in addition to a telecommunications supplier in Uzbekistan.
The group first got here to ESET’s consideration in 2023, when it deployed a easy backdoor generally known as Shahmaran towards Kurdish diplomatic officers. The malware allowed distant attackers to add and obtain recordsdata and execute instructions on compromised units.
Since then, ESET has recognized two further malicious instruments linked to the group: Whisper and PrimeCache. Whisper communicates with attackers by electronic mail attachments despatched through compromised Microsoft Alternate webmail accounts, whereas PrimeCache bears similarities to RDAT, a backdoor beforehand related to OilRig.
Whereas ESET couldn’t affirm the preliminary intrusion vector in all instances, researchers consider BladedFeline could have gained entry to Iraqi authorities techniques by exploiting vulnerabilities in internet-facing servers, utilizing a webshell referred to as Flog to take care of management.
ESET warned that the group is more likely to proceed creating its malware arsenal to retain entry to compromised techniques for cyberespionage functions.
“The KRG’s diplomatic relationship with Western nations, coupled with the oil reserves within the Kurdistan area, makes it an attractive goal for Iran-aligned menace actors to spy on and probably manipulate,” researchers stated.
“In Iraq, these menace actors are most likely making an attempt to counter the affect of Western governments following the US invasion and occupation of the nation.”
OilRig — additionally tracked as APT34 or Hazel Sandstorm — has beforehand focused entities within the chemical, vitality, finance, and telecom sectors throughout the Center East. The group is understood for utilizing compromised organizations to conduct provide chain assaults on different authorities entities.
Final 12 months, researchers warned that OilRig stepped up its assaults towards authorities companies within the United Arab Emirates (UAE) and the broader Persian Gulf area, underscoring their “ongoing dedication” to exploiting vulnerabilities inside crucial infrastructure and authorities networks in geopolitically delicate areas.
Recorded Future
Intelligence Cloud.
Study extra.
