Palo Alto Networks Unit 42 threat research team has determined that the OilRig hacking group’s activities are more widespread than previously understood, compromising at least 97 organizations in 27 countries, including China. The conclusions were determined from an analysis of attack tools, scripts and other data believed to belong to OilRig, which were posted on the internet in March. That review found that the group had obtained nearly 13,000 stolen credentials as it targeted 18 industries - including government, technology, telecommunications and transportation. The data was posted in March on recently created Twitter handles including Mr_L4nnist3r( likely a reference to the Lannister family, in the HBO series “Game of Thrones”), @dookhtegan, and @dookhtegan1. Those tweets alleged that OilRig is tied to Iran’s Ministry of Intelligence, claims which Unit 42 has not validated.
Analysis of the leaked data supports findings from previous Palo Alto Networks threat research on OilRig, which Unit 42 has closely followed since May 2016. The research also suggests that protecting against credential theft and reuse is an important step thwart OilRig attacks.
Unit 42 had previously reported that OilRig attackers rely heavily on stolen credentials to carry out their attacks validated. The release of nearly 13,000 stolen credentials, including what appears to be one organization’s entire Active Directory, supports that analysis.
OilRig was previously believed to focus on Arab nations, the new data suggests that China is also of interest. China was the No. 4 country targeted after the United Arab Emirates, Saudi Arabia and Jordan.
For more details on Unit 42’s findings, please see the research blog.