A Crambus  cyberespionage campaign prospects a Middle Eastern government.
the cyberwire logoOct 23, 2023

Iran's APT34 (a.k.a. OilRig, a.k.a. Crambus) is working subtly and effectively against a Middle Eastern government.

A Crambus cyberespionage campaign prospects a Middle Eastern government.

Iran's OilRig threat group, also known as APT34 and, by Symantec, as Crambus, conducted an eight-month intrusion campaign against a Middle Eastern government.

Cyberespionage campaign established persistent remote access.

The Threat Hunter Team at Symantec (a Broadcom company) reported late last week that Crambus "stole files and passwords and, in one case, installed a PowerShell backdoor (dubbed PowerExchange) that was used to monitor incoming mails sent from an Exchange Server in order to execute commands sent by the attackers in the form of emails, and surreptitiously forwarded results to the attackers."

The operation also exploited the network administration tool Plink "to configure port-forwarding rules on compromised machines." This permitted them to establish access to the targets through the Remote Desktop Protocol (RDP). APT34 also seemed to have been able to enable remote access by modifying Windows firewall rules.

Which government was targeted Symantec doesn't say, but the researchers do note that the Crambus target list has historically included Saudi Arabia, Israel, the United Arab Emirates, Iraq, Jordan, Lebanon, Kuwait, Qatar, Albania, the United States, and Turkey.

Advice on protecting an organization against APTs.

David Mitchell, Chief Technical Officer at HYAS, speculated in emailed comments over how the target government might have left itself open to attack. “While this is not surprising, it further reinforces the need for network wide visibility and protection. Without knowing the details of said governments' security posture internally, it appears they did not utilize protective DNS, network traffic visibility or log analysis — a combination of methods that would’ve most assuredly detected this behavior. Siloed security products continue to give customers a false sense of security and need to be deployed up and down the OSI stack in order to be effective.”

And Emily Phelps, Director at Cyware, observed that threat intelligence alone is insufficient safeguard against APTs. “Advanced persistent threat (APT) groups such as Crambus have the resources to maintain ongoing targeted attacks. The importance of organizations and government entities moving from a reactive to proactive cybersecurity posture cannot be overstated. Investing not only in threat intelligence but in technologies that enable organizations to take action on intelligence is mission critical to outpacing motivated adversaries.”