11. Turtle-y Awesome
Coming up this week on Breaking Badness. Today we discuss: A Turtle-y Radical DNS Hijacking Attack, He Licks What? Hacker Group Exposes Iranian APT Operations and Members, and When it Comes to TV, Air On the Side of Caution.
Here are a few highlights from each article we discussed:
- This is a larger-scale version of the type of attack we talked about a few weeks back, the so-called “DNSpionage” targeting Venezuela. Basically, as we’ll see in a second, the attackers are manipulating DNS so as to point victims to attacker-controlled infrastructure. Who are these actors? Well, as is so often the case, and rightly so, Talos is not attributing this campaign to a specific nation-state or other organization. They speculate (and I think they’re right about this) that it’s a well-resourced group, of the type that is unlikely (though not impossible) outside the context of nation-state.
- DNS Hijacking is essentially changing DNS records for a domain, to point it to an IP you control rather than the legit IP. It is not super common but there are some reasons to be concerned that it could become more so.
- Main groups affected include mainly middle eastern and north African countries. Organizations like foreign affairs, military, intel, etc. Also organizations that support those, like telecoms, as part of staging the attacks on the real victims.
- They believe has this campaign been active for more than 2 years.
- The leaker is Lab Dookhtegan, who leveraged leaked via Telegram channel.
People are theorizing the group or individual behind this leak may oppose the Iranian regime, or a former member.
- One reason why someone would hack APT34 is to force them to retool by burning all their infrastructure.
- Lab Dookhtegan made a pretty clear statement regarding the hack:
“We are exposing here the cyber tools (APT34 / OILRIG) that the ruthless Iranian Ministry of Intelligence has been using against Iran’s neighboring countries, including names of the cruel managers, and information about the activities and the goals of these cyber-attacks. We hope that other Iranian citizens will act for exposing this regime’s real ugly face!”
- Leaked information includes infrastructure, hacking tools, members, and victims. Dookhtegan also leaked the names and phone numbers of some individuals working for the Iranian Ministry of Intelligence (data on its employees is classified) as well as pictures, names, phone numbers, and email addresses of alleged hackers in the OilRig group. source code for home-grown tools, URLs to web shells on servers from organizations all over the world, governments included, web shell access details, usernames and passwords from compromised targets.
- In total, Dookhtegan published code for six tools used in OilRig operations: Poison Frog and Glimpse PowerShell-based backdoors (both versions of a tool called BondUpdater according to Palo Alto Networks), web shells HyperShell and HighShell, Fox Panel, and Webmask (the DNSpionage tool analyzed by Cisco Talos).
- Leaked victims: Dookhtegan also published an impressive set of details about the victims of OilRig. These are mainly entities (government agencies and companies) from the Middle East: Dubai Media Inc, Etihad Airways, Abu Dhabi Airports , Emirates National Oil, Lamprell Energy Ltd., Amiri Diwan of Kuwait, Oman Administrative Court, Emirates Prime Minister Office, National Security Agency of Bahrain.
- There isn’t a whole lot of information at this point regarding who is behind the attack, or the attack itself.
- Fun Fact: One of the most famous broadcast signal hijackings occurred way back in 1987, when Max Headroom was actually a thing. There were two separate channels in Chicago that got their programming disrupted by someone doing a fairly good impression of the computer-generated personality Max Headroom.
This Week’s Hoodie Scale
A Turtle-y Radical DNS Hijacking Attack
[Tim]: 7.5/10 Hoodies
[Emily]: 8/10 Hoodies
He Licks What? Hacker Group Exposes Iranian APT Operations and Members
[Tim]: 9/10 Hoodies
[Emily]: 9/10 Hoodies
When it Comes to TV, Air On the Side of Caution
[Tim]: 20 millahoodies/10 Hoodies (for society) & 8/10 Hoodies for the Weather Channel
[Emily]: 4/10 Hoodies
That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included in our blog. Catch us next Wednesday at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!