OilRig stole over 13,000 passwords across 18 industries, indicate researchers

• The researchers from Palo Alto Networks extensively analyzed attack tools, scripts and other data of the threat actor group.
• They also found that the group targeted China apart from countries in the Middle East.

A month after the mystery group Lab Dookhtegan divulged details about OilRig a.k.a APT34, researchers from Palo Alto Networks have come up with new findings regarding the data dump discovered on the Internet.

According to their analysis, OilRig stole over 13,000 credentials belonging to 18 industries. Some of these industries include government, technology, telecommunications, and the transportation sector. Altogether, OilRig’s activity compromised 97 organizations in 27 countries.

Key highlights

• The researchers’ analyzed troves of data released by a user known as Mr_L4nnist3r, as well as by the group Lab Dookhtegan.
• Apart from stolen credentials, the data dump released by the two entities included backdoors, web shells, DNS hijacking scripts, screenshots of OilRig’s operational systems, and other documents of the threat actor group.
• The researchers also found internal names used by OilRig threat actors in their operations.
• Among the stolen credentials, a complete Active Directory of a firm was also discovered.
• In addition, the analysis revealed how OilRig was targeting China on top of cornering countries in the Middle East such as United Arab Emirates, Saudi Arabia, and Jordan.

Origins remain unknown

For some reason, the researchers emphasize that they were unable to validate the entire data with respect to its origin. “..although we are able to validate the backdoors and web shells provided in the dataset as consistent with previously researched OilRig toolsets, in general, we are unable to validate the origins of the entirety of the dataset and cannot confirm nor deny that the data has not been manipulated in some manner,” told their blog.

In order to stay away from OilRig’s attacks, Palo Alto Networks has strongly suggested organizations to protect themselves against credential theft and reuse.