ClearSky assess that Iran-linked APT groups (APT34/OilRig and APT33/Elfin) cooperated in Fox Kitten Campaign. They hit dozens of companies and organizations in Israel and around the world

Iran-linked APT34/OilRig and APT33/Elfin have cooperated in the “Fox Kitten Campaign”. It has been discovered by ClearSky cyber security experts. It is being conducted in the last three years against dozens of companies and organizations in Israel and around the world. Furthermore, though it, the APTs succeeded in gaining access and persistent foothold in the networks of numerous companies and organizations from the IT, Telecommunication, Oil and Gas, Aviation, Government, and Security sectors. The campaign was used as a reconnaissance infrastructure, however, it can also exploited as a platform for spreading and activating destructive malware such as ZeroCleare and Dustman, tied to APT34. In depth, it’s infrastructure was used to: Develop and maintain access routes to the targeted organizations, Steal valuable information from the targeted organizations, Maintain a long-lasting foothold at the targeted organizations, and Breach additional companies through supply-chain attacks.

The cyber security experts: The most successful and significant attack vector used by the Iranian APTs is the exploitation of known vulnerabilities in systems with unpatched VPN and RDP services

The cyber security experts confirm that the most successful and significant attack vector used by the APT34/OilRig and APT33/Elfin has been the exploitation of known vulnerabilities in systems with unpatched VPN and RDP services. This in order to infiltrate and take control over critical corporate information storages. This attack vector is not used exclusively by the Iranian APT groups; it became the main  one for cybercrime groups, ransomware attacks, and other state-sponsored offensive groups. This attack vector will be significant also in 2020 apparently by exploiting new vulnerabilities in VPNs and other remote systems (such as the latest one existing in Citrix). Iranian APT groups have also developed good technical offensive capabilities and are able to exploit 1-day vulnerabilities in relatively short periods of time, starting from several hours to a week or two.

There is a medium-high probability that APT34 and APT33 share attack infrastructures

Since 2017, ClearSky identifies Iranian APT groups focusing on IT companies that provide a wide range of services to thousands of companies. Breaching those organizations is especially valuable because through them one can reach the networks of additional companies. After the breach, the attackers usually maintain a foothold and operational redundancy by installing and creating several more access points to the core corporate network. Researchers assess also with a medium-high probability that Iranian APT groups (APT34 and APT33) share attack infrastructures. Furthermore, it can be one group that was artificially marked in recent years as two or three separate APT groups. The time needed to identify an attacker on a compromised network is long and varies between months to not at all. The existing monitoring capability for organizations to identify and block an attacker that entered through remote communication tools is difficult to impossible.