Saudi Arabian Oil and Gas Industry Targeted by Iran in Supply Chain Phishing Attack

Goals for cyber campaigns consistently provide the advantage. Whether to steal data, earn financial rewards, manipulate information, or cause physical destruction, cyber attackers don’t limit themselves to a direct attack on their targets. Instead, they often use their imaginations and go after the digital supply chain of their targets, without increasing the need for technical sophistication, and without risking or compromising the success of their campaigns.

In the Summer of 2017, Iranian cyber actors identified by Area 1 Security as IRN2 and previously referred to as the “OilRig” campaign compromised a website belonging to Doosan Power Systems India (DPSI) to conduct a targeted phishing campaign against Saudi Aramco affiliates. Our research, including technical details and indicators of compromise for this supply chain phishing campaign are available here.

This phishing campaign used multiple vectors: luring victims through a career website to submit resumes; supply chain targeting; and phishing emails with malware.

First, Iranian hackers compromised DPSI’s website, a trusted and legitimate domain, to host a weaponized, encrypted, and password-protected .zip archive. Second, unsuspecting affiliates of Saudi Aramco received an email inviting them to apply for a position at DPSI; if they clicked the link within the email, a password-protected .zip archive would be downloaded to their computer, surreptitiously installing malware. This malware, a new variant of the Helminth backdoor, provided persistent access for attackers to the target’s network. The download also launched a phishing website with DPSI careers as the theme, inviting targets to register and submit a resume.

Digital supply chain attacks exploit an organization’s reliance on suppliers, partners, and vendors to find and prey on the weakest links in the chain. Suppliers, partners, vendors, and affiliates hold sensitive data; their IT infrastructure is typically less secure, or is ineffectively defended. Thus, it can serve as a stepping stone, providing surreptitious opportunities to hackers for enhancing their phishing campaigns against a primary target.

Many prominent campaigns have been the result of supply chain phishing:

  • The Target data breach, which exposed 40 million customer credit card numbers, was the result of attackers who initially gained access to the network using credentials obtained from heating, ventilation, and air-conditioning (HVAC) subcontractor Fazio Mechanical Services via a phishing attack.
  • A data breach at Home Depot, which exposed 56 million customer credit card numbers, was the result of a supply chain phishing attack wherein a third-party vendor’s username and password were used to enter Home Depot’s network.
  • A 2010 attack on Iranian nuclear facilities known as Stuxnet occurred when malware used to infect programmable logic controllers (PLCs) and modify Siemens Step 7 software was likely carried into the facilities by third-party contractors.
  • China’s infamous attack against RSA was used to facilitate a breach of the Defense Industry’s SecurID 2 Factor Authentication technology, including Lockheed Martin, Northrop Grumman, and L-3.

There must not be a weak link in your enterprise security ecosystem. Learn more about working with Area 1 Security to extend phishing protection outside your network throughout your digital supply.

Want to keep up to date with the latest phishing trends? 

Subscribe to our newsletter here!


How to replace your email gateway with Cloudflare Area 1

Leaders and practitioners responsible for email security are faced with a few truths every day. It’s likely true that their email is cloud-delivered and comes with some built-in protection that does an OK job of stopping spam and commodity malware.

Introducing email link isolation – Email gateway replacement playbook

This week was a big one for us at Cloudflare, one of our four innovation weeks which we hold annually, showcasing new developments, product news and reference architectures.

Superhero strategies for the Phish Fight

Today is National Superhero Day, and we would like to dedicate this day to you—the SOC teams and the security experts on the frontline of the phish fight.