Cyber confusion rules as threat teams with state links get down with a bit of not-so-friendly fire in attacking the infrastructure of a Middle Eastern authority.
Researchers at Symantec consider that a Russian-speaking hacker team hijacked the infrastructure of their Iranian rival Crambus (aka OilRig) in 2018.
During this strike, the hacker group referred to as Waterbug (aka Turla) released malware onto computer systems that Crambus had captured. This malware was communicating back to well-known Waterbug C&C servers. The order wherein Symantec believes this unique event happened is that first Crambus hacked and took management of sections of the computer system of an as-yet-unnamed Middle Eastern authority.
Doubtlessly sensing an opportunity to achieve added network power and to attach one into a rival the Waterbug threat team released an activity scheduler referred to as msfgi.exe onto a computer in Crambus network. The very subsequent day, they used Mimikatz to move horizontally throughout the system.
The Mimikatz hacking software was stationed onto Crambus’ network in early 2018. “Mimikatz was downloaded via the Powruner device and the Poison Frog management panel. The infrastructure, as well as the Powruner device, have been publicly linked to Crambus by various vendors,” Symantec researchers note in its report.
A specific variant of Mimikatz used in the strike ties it to the Waterbug group as they’ve profoundly changed it by rewriting nearly all the authentic code, apart from the sekurlsa::logonpasswords credential stealing feature.
Since early 2018 Waterbug have been attached to a series of strikes focusing on organizations in 10 different nations. This includes the Ministry of Foreign Affairs throughout three continents, an ICT organization in the middle-east, in addition to an academic institution in South Asia.
They’re also utilizing fundamental visual scripts that perform system reconnaissance after a strike that sends information back to manipulated servers.