SlideShare a Scribd company logo

Cyber Security for Everyone Course - Final Project Presentation

CMR WORLD TECH, profile picture
CMR WORLD TECH

OilRig is an advanced persistent threat (APT) group based in Iran that conducts cyber espionage operations. It has carried out several attacks targeting the oil and gas industry as well as other sectors. The attacks involved compromising legitimate software and websites to distribute malware. The motivations for OilRig's operations are believed to be related to sanctions against Iran and its pursuit of stolen intellectual property and sensitive information from other countries. Policymakers need to consider responses that address both the private impacts on businesses, as well as the broader public and geopolitical concerns given OilRig's targeting of both private and public sector organizations internationally.

Engineering
1 of 15
Download to read offline
1
2
Most read
3
4
Most read
5
6
7
8
9
10
11
12
13
14
15
Cybersecurity for Everyone Course FINAL PROJECT - OILRIG BY: CESAR MURILO RIBEIRO
OilRig Attack Case Studies: The Hacking Process Tactics on Their Targets. The Primary, Secondary, and Second Order Effects •  Attack 1: An attack on an oil rig utilizing Al Squared software. •  Attack 2: An Oilrig assault masquerading as Oxford University •  Attack 3-Attack on Al Elm and Samba Financial Group by OilRig •  Attack 4-Attack on Job Seekers by Oil Rigs •  Attack 5-Attack on Israeli IT providers by Oil Rigs FINAL PROJECT - OILRIG BY: CESAR MURILO RIBEIRO
Hackers arenot all the same; they rangein skill, resources, and capability and often go by differentnames. How would you classify this threat actor? Do they go by any aliases? Whereare they from? How would you ratethe skill level and resources availableto this threat actor? OilRig has been classed as an Advanced PersistentThreatdue to the multiple attacks it has undertaken, each of which has varied in efficacy (APT). TheIranian governmentis behind OilRig. Cobalt Gypsy is oneof their other identities, while others include IRN2, Helix Kitten, Twisted Kitten, and APT34. According to a Forbes article from the IsraeliITbusiness ClearSky, OilRig's roots may betraced back to Iran, and the Counter Threat Unit of the cyber intelligence company SecureWorks is positivethat the group is tied to the Iranian government. They'vehad success in the Middle East while doing the majority of their business elsewhere. OilRig targets businesses outsideof Iran, whereas thevastmajority of Iranian threatactors targetgovernmentinstitutions and opposition figures. OilRig is confident in its ability to carry out any activity that is expected to benefit Iran becauseit works with or for the (Islamic Republic of) Iran. Similarly to the Mabna Instituteincident, the Islamic Revolutionary Guard Corps enlisted an Iranian institution(Mabna Institute) to carry out a massivespear phishing campaign, resulting in the loss of 31.5 gigabytes of academic data and 3.4 billion dollars in intellectual property (IP). FINAL PROJECT - OILRIG BY: CESAR MURILO RIBEIRO
Hackers are motivated to act for specific reasons. What are the motivations of your threat actor? What is the specific geo-political context they are operating in and what insight does that give you for why they are operating in this manner? OilRig espionage, according to the Council on Foreign Relations, targets private-sector and government organizations. According to Merriam- Webster, espionage is the action of spying or utilizing spies to obtain information about a foreign government's or a competing enterprise's goals and operations. The Cambridge Economic English Dictionary defines it as "the act of secretly obtaining and reporting information, particularly covert political, military, business, or industrial intelligence." According to the Middle East Institute (MEl), "many countries stopped doing business with Iran as a result of the Iranian Revolution of 1979, and so stealing academic and corporate information from around the world allows it to renew infrastructure and build technologies that it simply cannot purchase abroad, ranging from weaponry to airplane parachute. '' Because Iran is subject to economic sanctions, they rely on what many refer to as "soft war" (less regulated and low-level combat for lengthy periods of time) in cyberspace with public and commercial sectors of adversary nations as their objective. MEl also anticipated that Iran-linked organisations will focus on two cyber activities in the medium and long term: international election meddling and widespread intellectual property theft (IP). FINAL PROJECT - OILRIG BY: CESAR MURILO RIBEIRO
Attack 1-Al Squared software is used in an oil rig attack •  Al Squared, a tiny, mission-driven tech business based in Vermont, developed software to aid visually impaired internet users. According to Forbes, security firm Symantec told Al Squared that certifications for technology used to authenticate its authenticity had been compromised, implying that a threat actor (OilRig) obtained Al Squared's signing key and certificates and used them to hide their own malware. •  The plan was to use the visually impaired software as a surveillance tool while seeming genuine to security systems in the Middle East, Europe, and the United States. When the digital certificate required to certify newer ZoomText and Window-Eyes software products was compromised, their certification was cancelled, according to a notice on the Al Squared website in 2017. FINAL PROJECT - OILRIG BY: CESAR MURILO RIBEIRO
Attack 1 •  Reconnaissance: The Al Squared tech business, according to OilRig, has software that will allow the gang to quickly locate its victims in the Middle East, Europe, and the United States, where they have a large number of targets. •  Weaponization: Oilrig is said to have gotten Al Square's signing key and certificate and is using it to construct their own malware. The majority of individuals have considered adopting Al Square's (previously hacked) software to assist the visually handicapped in accessing the internet. •  Installation and Exploitation: To guarantee that the program works properly, users must install and test it on their PCs. •  Command and Control: By installing the program (malware) unknowingly, victims give the OilRig gang with information that may be exploited to gain access to bigger networks. •  OilRig has infected blind software with malware for espionage purposes. The fundamental result is that the end host gets exploited. •  As a result, the following income, reputation, and macroeconomic effects have occurred: Sales would be lower than predicted since Oilrig's spying spyware tainted the application. Customers would then utilize reputation to locate new software that provides the same sort of service. Macroeconomics: If the program becomes polluted, the personnel working on it may change. •  Second Order Information/Perception Effect: Anyone with access to the programmer could get the impression that the business is just a cover for spying. FINAL PROJECT - OILRIG BY: CESAR MURILO RIBEIRO
Attack 2 - Attack by OilRig posing as Oxford University •  In November 2016, the OilRig group registered two phoney Oxford University pages, according to ClearSky. The first is a website for registering for conferences, while the second claims to offer employment within the company. •  On both pages, there was a download button that visitors could use. The fictional event's registration form is in one file, and an Oxford University CV builder is in the other. After clicking, victims unknowingly give data to Helminth, the malware that OilRig uses to hijack the PC and steal data, without even realising it. FINAL PROJECT - OILRIG BY: CESAR MURILO RIBEIRO
Attack 2 •  Reconnaissance - OilRig created bogus Oxford University websites to attack multiple targets at once. •  Weaponization - Two fictitious Oxford University websites were made by OilRig, one of which appeared to be a job board and the other to be a place to sign up for conferences. •  Delivery - People who are interested in working for Oxford or attending a conference that Oxford is hosting are sure to adhere to the fictitious page requirements. •  Installation and Exploitation - The victims, once on the fake website/s are encouraged to fill-up what seem to be a normal registration form and download files that are infected by OilRig's surveillance malware. •  Control & Command - OilRig now has access to the computers with Helminth malware infections and has gathered the basic information of their victims because people registered and downloaded files from the bogus websites. •  Initial Impact - Utilization of the End Host: OilRig considered gathering personal data through the fictitious Oxford website they developed. •  Secondary Impact on Credibility: Oxford University's reputation will undoubtedly suffer as a result of the fake website's use of their name and other identifiers. •  Second-order effects on perception and information: Everyone who provided personal information and registered on the fictitious Oxford websites would now choose different universities to be affiliated with, which is a regrettable development. FINAL PROJECT - OILRIG BY: CESAR MURILO RIBEIRO
Attack 3 - Attack by the OilRig on Samba Financial Group and Al Elm •  According to a 2017 Forbes article, the group started conducting phishing attacks in May 2016 from servers owned by Saudi Arabian contractor and IT security Al-Elm. The email was inserted into a discussion between Saudi Arabian lender Samba Financial Group and Al-Elm. The email had an Excel attachment called "notes.xls," which when opened by the recipient would launch a Helminth surveillance kit from OilRig. •  In the case of Al-Elm, analysis of the phishing emails' headers revealed that they originated from within the sender's company and that "the threat actor previously compromised those organisations," according to SecureWorks intelligence analyst Allison Wikoff. FINAL PROJECT - OILRIG BY: CESAR MURILO RIBEIRO
Attack 3 •  Reconnaissance - Here, the Samba Financial Group is highlighted, which reported a profit of $290 million for the most recent quarter of the previous year. •  Weaponization -The OilRig group decided to use Al-"previously Elm's compromised" network to communicate with Samba Financial Group. •  Delivery - Al-Elm and Samba Financial Group exchanged emails, and one of them contained the OilRig's • Helminth spying programme. •  Installation and Exploitation: After the email has been sent, anyone who opens the "notes.xls" excel attachment will have the Helminth surveillance kit installed on their computer. •  Control & Command - After opening the email, everything might appear to be in order, but OilRig has installed the surveillance kit, giving them access to that computer and perhaps the company's network. •  Initial Impact - Use of the End Host: OilRig sent emails containing Helminth surveillance kits to Al-Elm Security and Samba Financial Group through phishing attacks. •  Secondary effects on reputational damage and remediation Remediation: Depending on how badly it was affected, the infected devices from both ends would now be scanned, cleaned, and possibly replaced. Reputation: Threat actors should be prevented from interfering with IT security companies' client relationships, which will have an impact on those companies' reputations. •  Second-order effects on perception and information: Due to the phishing emails sent, both businesses will now proceed with great caution when creating new business alliances. FINAL PROJECT - OILRIG BY: CESAR MURILO RIBEIRO
Attack 4 - Attack by oil rig on job seekers •  The cyber intelligence firm SecureWorks, which refers to the OilRig crew as Cobalt Gypsy, asserts in the same report from the earlier incident that the group has been sending emails containing malware from legitimate email addresses belonging to two Egyptian and one of the biggest IT service providers in Saudi Arabia, the National Technology Group, and the National Technology Group. •  These email addresses were used to send emails to an unnamed Middle Eastern organization with links to job offers. The attachments contained PupyRAT, an open-source remote access trojan (RAT) that works on Android, Linux, and Windows platforms. FINAL PROJECT - OILRIG BY: CESAR MURILO RIBEIRO
Attack 4 •  Reconnaissance - The OilRig intended to attack an unnamed entity, but they decided to go after the Middle East instead. •  Weaponization - OilRig Group decided to send a malicious email using National Technology Group, a Saudi Arabian IT supplier, and ITWorx, an Egyptian IT service provider. •  Delivery - OilRig sent their victims alluring job offers via email accounts owned by IT firms. •  Installation and Exploitation - When recipients clicked on the email's link attachment, an opensource remote access trojan was waiting for them. •  Control & Command - After the link has been clicked, the malware will start to gather login information from the user and the computer. •  Initial Impact - Use of the End Host: OilRig sent emails to a range of targets that were infected with an open-source remote access trojan and contained links to job offers from reputable IT companies. •  Reputational consequences as a byproduct: - Candidates should think twice before accepting a position with an IT company, even though the job offers might be legitimate now that they can track the PupyRAT's origin and link it to their own devices. •  Effect of second order on information and perception: The companies run the risk of developing a negative reputation for monitoring both past and present customers. FINAL PROJECT - OILRIG BY: CESAR MURILO RIBEIRO
•Attack 5 • Reconnaissance - The OilRig believes that because Israel is their intended target, attacking IT vendors will assist them in breaking into crucial networks. • Weaponization -It's a given that OilRig already has access to hacked user accounts from different Israeli IT • vendors. •  Delivery - In an email to the vendors, the group poses as a real customer and requests assistance. •  Installation and Exploitation - The victim is then prompted to download a Juniper VPN in order to continue when they attempt to access the user's account using the provided credentials. They include their trustworthy Juniper VPN along with the spying malware Helminth. •  Control & Command - OilRig would then have access to the device and many other client/customer emails that utilise their services after a successful installation. •  Initial Impact - Utilization of the End Host: OilRig disguised themselves as customers who needed help because they were interested in breaking into Israeli networks. •  Secondary Impact on Cleanup: Remediation - Some employees of the company may have carried out the threat actor's instructions because it is their responsibility to maintain customer satisfaction. As a result, businesses may need to inspect, maintain, or upgrade their equipment. •  Effect of second order on information and perception: People who use the VPN may be concerned that their devices have the surveillance malware Helminth because it is connected to a legitimate Juniper VPN. FINAL PROJECT - OILRIG BY: CESAR MURILO RIBEIRO
Not all hackers represent a strategic problem for policy makers. How would you characterize your threat actor, are they chiefly a private problem for businesses or a public concern for policy makers? How should policy makers respond? • The range of OilRig's targets makes them an Advanced Persistent Threat (APT). Their primary activity is espionage; instead of erasing or altering anything they gain access to, they simply sit back and relax while their Helminth malware completes its work. They have used compromised email to obtain stolen information for the majority of their espionage operations. Targeting private industries is something OilRig is interested in doing, and they use mostly subtle methods like phishing. They pose a clear threat to businesses, but because these organisations have connections with both private and public institutions, one email could give them access to apowerful corporation or government office, making them both a private issue and a public one. They pose a clear threat to businesses, but because these organisations are connected to both private and public institutions, one email could give them access to a powerful corporation or government office, making them a problem for both individuals and the general public. The best course of action would be to impose more economic sanctions since OilRig has been identified as an Iranian threat actor. FINAL PROJECT - OILRIG BY: CESAR MURILO RIBEIRO
•Not all hackers represent a strategic problem for policy makers. How would you characterize your threat actor, are they chiefly a private problem for businesses or a •public concern for policy makers? How should policy makers respond? • The amount of pressure that one nation could exert on Iran to make good on any harm caused by cyber espionage was limited. It is feasible, but it could take a very long time, and once any secrets are compromised, they cannot be replaced. If Iran agrees or if other nations share their concerns, policymakers could work together to craft treaties that would penalise and deter threat actors from coming from Iran. There should be clear punishments for any cyber-related activities, such as espionage, coming from any group that could be traced back to or is supported by Iran, rather than financial incentives, if a group of nations wants to rewrite the Iran Nuclear Deal in the •future. FINAL PROJECT - OILRIG BY: CESAR MURILO RIBEIRO

More Related Content

PPTX
Cyber crime and Security
Hussain777
 
PDF
Computer Evidence/Computer Misuse Act 1990 cases
GrittyCC
 
PPTX
Final Assignment.pptx
HariNathaReddy14
 
PPT
WorldCom Fraud
Deepika Bajaj
 
PDF
Customer IAM vs Employee IAM (Legacy IAM)
Ubisecure
 
PDF
Phishing: se lo conosci, lo eviti
Vincenzo Calabrò
 
PPTX
Cybercrime
AreliyKarla3
 
PPT
Computer Misuse Act
mrmwood
 
Cyber crime and Security
Hussain777
 
Computer Evidence/Computer Misuse Act 1990 cases
GrittyCC
 
Final Assignment.pptx
HariNathaReddy14
 
WorldCom Fraud
Deepika Bajaj
 
Customer IAM vs Employee IAM (Legacy IAM)
Ubisecure
 
Phishing: se lo conosci, lo eviti
Vincenzo Calabrò
 
Cybercrime
AreliyKarla3
 
Computer Misuse Act
mrmwood
 

What's hot (14)

PPTX
Cybercrime
Avinash
 
PPTX
Cyber crime ppt
Gracy Joseph
 
PDF
Cybersecurity for Everyone Course. Final Project OilRig.pdf
HamzaAfzal61
 
PPT
Growing cyber crime
Aman Kumar
 
PPTX
Cybercrime
Komal003
 
PPTX
PPT on cyber LAW And ACT Of INDIA
Hardik Solanki
 
PPS
Fotos Antiguas De La CoruñA 2008
AMALOTA
 
PPTX
Cyber Crime
Mehjabin Chowdhury
 
PPTX
Cyber Crime - What is Cyber Crime
Adeel Rasheed
 
PPTX
Email Security Awareness
Dale Rapp
 
PPTX
Cyber Crime
Darshan Vithani
 
DOCX
E crime thesis Cyber Crime and its several types
Assignment Studio
 
PPTX
Final Project for the Cybersecurity for Everyone Course- Oilrig.pptx
AbdulhafizAhmed3
 
DOC
Cyber crime
praveen1792
 
Cybercrime
Avinash
 
Cyber crime ppt
Gracy Joseph
 
Cybersecurity for Everyone Course. Final Project OilRig.pdf
HamzaAfzal61
 
Growing cyber crime
Aman Kumar
 
Cybercrime
Komal003
 
PPT on cyber LAW And ACT Of INDIA
Hardik Solanki
 
Fotos Antiguas De La CoruñA 2008
AMALOTA
 
Cyber Crime
Mehjabin Chowdhury
 
Cyber Crime - What is Cyber Crime
Adeel Rasheed
 
Email Security Awareness
Dale Rapp
 
Cyber Crime
Darshan Vithani
 
E crime thesis Cyber Crime and its several types
Assignment Studio
 
Final Project for the Cybersecurity for Everyone Course- Oilrig.pptx
AbdulhafizAhmed3
 
Cyber crime
praveen1792
 
Ad

Similar to Cyber Security for Everyone Course - Final Project Presentation (20)

PPTX
ppt_deck_cybersecurity_for_Everyone.pptx
jmiham
 
PPTX
SIEM Fundamentals-Session 1 presentations
ShivanandManjaragi2
 
PPTX
UNVEILING THE THREAT ACTOR FOR CYBERSECURITY ASSIGNMENT.pptx
chrisdeming24
 
PDF
NewsByte Mumbai October 2017
chauhananand17
 
PDF
ALPHV site taken down [EN].pdf
Overkill Security
 
PPTX
ECOWAS Cybersecurity Strategy Workshop
Abdul-Hakeem Ajijola
 
PDF
Cyber Resilience
Ian-Edward Stafrace
 
PPT
2009 10 21 Rajgoel Trends In Financial Crimes
Raj Goel
 
PDF
2. Cyber Intelligence in online gambling final
MARIUS EUGEN OPRAN
 
PDF
Failed Ransom: How IBM XGS Defeated Ransomware
IBM Security
 
PDF
Phishing 101: Part-2 Blog Welcome to this Phishing Blog Part2
abhishekbacklink
 
PDF
A First Look at the Crypto-Mining Malware Ecosystem: A Decade of Unrestricted...
eraser Juan José Calderón
 
PDF
A Review Paper on Cyber-Security
IRJET Journal
 
PPTX
NUS-ISS Learning Day 2017 - Managing Cybersecurity Risk in the Digital Era fo...
NUS-ISS
 
PPT
Security Lifecycle Management Process
Bill Ross
 
PDF
A Joint Study by National University of Singapore and IDC
Microsoft Asia
 
PPT
Secure by design and secure software development
Bill Ross
 
PDF
MID_Modern_Threats_Landscape_GTI_Alex_de_Graaf_EN
Vladyslav Radetsky
 
PDF
Cybersecurity | Risk. Impact. Innovations.
Vertex Holdings
 
PDF
File000154
Desmond Devendran
 
ppt_deck_cybersecurity_for_Everyone.pptx
jmiham
 
SIEM Fundamentals-Session 1 presentations
ShivanandManjaragi2
 
UNVEILING THE THREAT ACTOR FOR CYBERSECURITY ASSIGNMENT.pptx
chrisdeming24
 
NewsByte Mumbai October 2017
chauhananand17
 
ALPHV site taken down [EN].pdf
Overkill Security
 
ECOWAS Cybersecurity Strategy Workshop
Abdul-Hakeem Ajijola
 
Cyber Resilience
Ian-Edward Stafrace
 
2009 10 21 Rajgoel Trends In Financial Crimes
Raj Goel
 
2. Cyber Intelligence in online gambling final
MARIUS EUGEN OPRAN
 
Failed Ransom: How IBM XGS Defeated Ransomware
IBM Security
 
Phishing 101: Part-2 Blog Welcome to this Phishing Blog Part2
abhishekbacklink
 
A First Look at the Crypto-Mining Malware Ecosystem: A Decade of Unrestricted...
eraser Juan José Calderón
 
A Review Paper on Cyber-Security
IRJET Journal
 
NUS-ISS Learning Day 2017 - Managing Cybersecurity Risk in the Digital Era fo...
NUS-ISS
 
Security Lifecycle Management Process
Bill Ross
 
A Joint Study by National University of Singapore and IDC
Microsoft Asia
 
Secure by design and secure software development
Bill Ross
 
MID_Modern_Threats_Landscape_GTI_Alex_de_Graaf_EN
Vladyslav Radetsky
 
Cybersecurity | Risk. Impact. Innovations.
Vertex Holdings
 
File000154
Desmond Devendran
 
Ad

More from CMR WORLD TECH (20)

PDF
Cyber Security
CMR WORLD TECH
 
PDF
CPQ Básico
CMR WORLD TECH
 
ODP
Cpq basics bycesaribeiro
CMR WORLD TECH
 
ODP
Apexbasic
CMR WORLD TECH
 
PDF
Questoes processautomation
CMR WORLD TECH
 
ODP
Process automationppt
CMR WORLD TECH
 
PDF
Transcript mva.cesar
CMR WORLD TECH
 
PDF
Aws migration-whitepaper-en
CMR WORLD TECH
 
PDF
Delivery readness for pick season and higth volume
CMR WORLD TECH
 
PDF
Why digital-will-become-the-primary-channel-for-b2 b-engagement
CMR WORLD TECH
 
PDF
Transcript Micrsosft Java Azure
CMR WORLD TECH
 
PDF
Buisiness UK Trading Marketing Finance
CMR WORLD TECH
 
PDF
Hyperledger arch wg_paper_1_consensus
CMR WORLD TECH
 
PDF
Master lob-e-book
CMR WORLD TECH
 
PDF
Apexand visualforcearchitecture
CMR WORLD TECH
 
PDF
Trailblazers guide-to-apps
CMR WORLD TECH
 
PDF
Berkeley program on_data_science___analytics_1
CMR WORLD TECH
 
PDF
Rep consumer experience_in_the_retail_renaissance_en_28_mar18_final_dm_
CMR WORLD TECH
 
PDF
Salesforce voice-and-tone
CMR WORLD TECH
 
PDF
Success cloud-overview
CMR WORLD TECH
 
Cyber Security
CMR WORLD TECH
 
CPQ Básico
CMR WORLD TECH
 
Cpq basics bycesaribeiro
CMR WORLD TECH
 
Apexbasic
CMR WORLD TECH
 
Questoes processautomation
CMR WORLD TECH
 
Process automationppt
CMR WORLD TECH
 
Transcript mva.cesar
CMR WORLD TECH
 
Aws migration-whitepaper-en
CMR WORLD TECH
 
Delivery readness for pick season and higth volume
CMR WORLD TECH
 
Why digital-will-become-the-primary-channel-for-b2 b-engagement
CMR WORLD TECH
 
Transcript Micrsosft Java Azure
CMR WORLD TECH
 
Buisiness UK Trading Marketing Finance
CMR WORLD TECH
 
Hyperledger arch wg_paper_1_consensus
CMR WORLD TECH
 
Master lob-e-book
CMR WORLD TECH
 
Apexand visualforcearchitecture
CMR WORLD TECH
 
Trailblazers guide-to-apps
CMR WORLD TECH
 
Berkeley program on_data_science___analytics_1
CMR WORLD TECH
 
Rep consumer experience_in_the_retail_renaissance_en_28_mar18_final_dm_
CMR WORLD TECH
 
Salesforce voice-and-tone
CMR WORLD TECH
 
Success cloud-overview
CMR WORLD TECH
 

Recently uploaded (20)

PPTX
Internet of Things (IOT) - A guide to understanding
Davies Chacko
 
PDF
Model Code of Practice - Construction Work - 21102022 .pdf
AinieButt1
 
PPTX
FINAL REVIEW FOR COPD DIANOSIS FOR PULMONARY DISEASE.pptx
rubeshbme
 
PDF
Operating System & Kernel Study Guide-1 - converted.pdf
mranoninvisib16
 
PDF
Arduino robotics embedded978-1-4302-3184-4.pdf
AbdullahEmam4
 
PPTX
Lesson 3_Tessellation.pptx finite Mathematics
quakeplayz54
 
PPTX
UNIT 4 Total Quality Management .pptx
gokuld13012005
 
PPTX
CH1 Production IntroductoryConcepts.pptx
RacemMellouli1
 
PDF
Structs to JSON How Go Powers REST APIs.pdf
Emily Achieng
 
PDF
BMEC211 - INTRODUCTION TO MECHATRONICS-1.pdf
ryankakungu
 
PDF
Mitigating Risks through Effective Management for Enhancing Organizational Pe...
IJAEMSJORNAL
 
PPTX
Infosys Presentation by1.Riyan Bagwan 2.Samadhan Naiknavare 3.Gaurav Shinde 4...
bapushinde7218
 
PPT
Mechanical Engineering MATERIALS Selection
arsalanahmad705384
 
PDF
PPT on Performance Review to get promotions
prashant593122
 
PDF
SM_6th-Sem__Cse_Internet-of-Things.pdf IOT
smceramu
 
PDF
keyrequirementskkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
mojeeburahmanwardak
 
PDF
Evaluating the Democratization of the Turkish Armed Forces from a Normative P...
jpsjournal1
 
PPTX
additive manufacturing of ss316l using mig welding
premcdr7799
 
PPTX
M Tech Sem 1 Civil Engineering Environmental Sciences.pptx
ShriNRPrasad
 
PDF
composite construction of structures.pdf
AinieButt1
 
Internet of Things (IOT) - A guide to understanding
Davies Chacko
 
Model Code of Practice - Construction Work - 21102022 .pdf
AinieButt1
 
FINAL REVIEW FOR COPD DIANOSIS FOR PULMONARY DISEASE.pptx
rubeshbme
 
Operating System & Kernel Study Guide-1 - converted.pdf
mranoninvisib16
 
Arduino robotics embedded978-1-4302-3184-4.pdf
AbdullahEmam4
 
Lesson 3_Tessellation.pptx finite Mathematics
quakeplayz54
 
UNIT 4 Total Quality Management .pptx
gokuld13012005
 
CH1 Production IntroductoryConcepts.pptx
RacemMellouli1
 
Structs to JSON How Go Powers REST APIs.pdf
Emily Achieng
 
BMEC211 - INTRODUCTION TO MECHATRONICS-1.pdf
ryankakungu
 
Mitigating Risks through Effective Management for Enhancing Organizational Pe...
IJAEMSJORNAL
 
Infosys Presentation by1.Riyan Bagwan 2.Samadhan Naiknavare 3.Gaurav Shinde 4...
bapushinde7218
 
Mechanical Engineering MATERIALS Selection
arsalanahmad705384
 
PPT on Performance Review to get promotions
prashant593122
 
SM_6th-Sem__Cse_Internet-of-Things.pdf IOT
smceramu
 
keyrequirementskkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
mojeeburahmanwardak
 
Evaluating the Democratization of the Turkish Armed Forces from a Normative P...
jpsjournal1
 
additive manufacturing of ss316l using mig welding
premcdr7799
 
M Tech Sem 1 Civil Engineering Environmental Sciences.pptx
ShriNRPrasad
 
composite construction of structures.pdf
AinieButt1
 

Cyber Security for Everyone Course - Final Project Presentation

  • 1. Cybersecurity for Everyone Course FINAL PROJECT - OILRIG BY: CESAR MURILO RIBEIRO
  • 2. OilRig Attack Case Studies: The Hacking Process Tactics on Their Targets. The Primary, Secondary, and Second Order Effects •  Attack 1: An attack on an oil rig utilizing Al Squared software. •  Attack 2: An Oilrig assault masquerading as Oxford University •  Attack 3-Attack on Al Elm and Samba Financial Group by OilRig •  Attack 4-Attack on Job Seekers by Oil Rigs •  Attack 5-Attack on Israeli IT providers by Oil Rigs FINAL PROJECT - OILRIG BY: CESAR MURILO RIBEIRO
  • 3. Hackers arenot all the same; they rangein skill, resources, and capability and often go by differentnames. How would you classify this threat actor? Do they go by any aliases? Whereare they from? How would you ratethe skill level and resources availableto this threat actor? OilRig has been classed as an Advanced PersistentThreatdue to the multiple attacks it has undertaken, each of which has varied in efficacy (APT). TheIranian governmentis behind OilRig. Cobalt Gypsy is oneof their other identities, while others include IRN2, Helix Kitten, Twisted Kitten, and APT34. According to a Forbes article from the IsraeliITbusiness ClearSky, OilRig's roots may betraced back to Iran, and the Counter Threat Unit of the cyber intelligence company SecureWorks is positivethat the group is tied to the Iranian government. They'vehad success in the Middle East while doing the majority of their business elsewhere. OilRig targets businesses outsideof Iran, whereas thevastmajority of Iranian threatactors targetgovernmentinstitutions and opposition figures. OilRig is confident in its ability to carry out any activity that is expected to benefit Iran becauseit works with or for the (Islamic Republic of) Iran. Similarly to the Mabna Instituteincident, the Islamic Revolutionary Guard Corps enlisted an Iranian institution(Mabna Institute) to carry out a massivespear phishing campaign, resulting in the loss of 31.5 gigabytes of academic data and 3.4 billion dollars in intellectual property (IP). FINAL PROJECT - OILRIG BY: CESAR MURILO RIBEIRO
  • 4. Hackers are motivated to act for specific reasons. What are the motivations of your threat actor? What is the specific geo-political context they are operating in and what insight does that give you for why they are operating in this manner? OilRig espionage, according to the Council on Foreign Relations, targets private-sector and government organizations. According to Merriam- Webster, espionage is the action of spying or utilizing spies to obtain information about a foreign government's or a competing enterprise's goals and operations. The Cambridge Economic English Dictionary defines it as "the act of secretly obtaining and reporting information, particularly covert political, military, business, or industrial intelligence." According to the Middle East Institute (MEl), "many countries stopped doing business with Iran as a result of the Iranian Revolution of 1979, and so stealing academic and corporate information from around the world allows it to renew infrastructure and build technologies that it simply cannot purchase abroad, ranging from weaponry to airplane parachute. '' Because Iran is subject to economic sanctions, they rely on what many refer to as "soft war" (less regulated and low-level combat for lengthy periods of time) in cyberspace with public and commercial sectors of adversary nations as their objective. MEl also anticipated that Iran-linked organisations will focus on two cyber activities in the medium and long term: international election meddling and widespread intellectual property theft (IP). FINAL PROJECT - OILRIG BY: CESAR MURILO RIBEIRO
  • 5. Attack 1-Al Squared software is used in an oil rig attack •  Al Squared, a tiny, mission-driven tech business based in Vermont, developed software to aid visually impaired internet users. According to Forbes, security firm Symantec told Al Squared that certifications for technology used to authenticate its authenticity had been compromised, implying that a threat actor (OilRig) obtained Al Squared's signing key and certificates and used them to hide their own malware. •  The plan was to use the visually impaired software as a surveillance tool while seeming genuine to security systems in the Middle East, Europe, and the United States. When the digital certificate required to certify newer ZoomText and Window-Eyes software products was compromised, their certification was cancelled, according to a notice on the Al Squared website in 2017. FINAL PROJECT - OILRIG BY: CESAR MURILO RIBEIRO
  • 6. Attack 1 •  Reconnaissance: The Al Squared tech business, according to OilRig, has software that will allow the gang to quickly locate its victims in the Middle East, Europe, and the United States, where they have a large number of targets. •  Weaponization: Oilrig is said to have gotten Al Square's signing key and certificate and is using it to construct their own malware. The majority of individuals have considered adopting Al Square's (previously hacked) software to assist the visually handicapped in accessing the internet. •  Installation and Exploitation: To guarantee that the program works properly, users must install and test it on their PCs. •  Command and Control: By installing the program (malware) unknowingly, victims give the OilRig gang with information that may be exploited to gain access to bigger networks. •  OilRig has infected blind software with malware for espionage purposes. The fundamental result is that the end host gets exploited. •  As a result, the following income, reputation, and macroeconomic effects have occurred: Sales would be lower than predicted since Oilrig's spying spyware tainted the application. Customers would then utilize reputation to locate new software that provides the same sort of service. Macroeconomics: If the program becomes polluted, the personnel working on it may change. •  Second Order Information/Perception Effect: Anyone with access to the programmer could get the impression that the business is just a cover for spying. FINAL PROJECT - OILRIG BY: CESAR MURILO RIBEIRO
  • 7. Attack 2 - Attack by OilRig posing as Oxford University •  In November 2016, the OilRig group registered two phoney Oxford University pages, according to ClearSky. The first is a website for registering for conferences, while the second claims to offer employment within the company. •  On both pages, there was a download button that visitors could use. The fictional event's registration form is in one file, and an Oxford University CV builder is in the other. After clicking, victims unknowingly give data to Helminth, the malware that OilRig uses to hijack the PC and steal data, without even realising it. FINAL PROJECT - OILRIG BY: CESAR MURILO RIBEIRO
  • 8. Attack 2 •  Reconnaissance - OilRig created bogus Oxford University websites to attack multiple targets at once. •  Weaponization - Two fictitious Oxford University websites were made by OilRig, one of which appeared to be a job board and the other to be a place to sign up for conferences. •  Delivery - People who are interested in working for Oxford or attending a conference that Oxford is hosting are sure to adhere to the fictitious page requirements. •  Installation and Exploitation - The victims, once on the fake website/s are encouraged to fill-up what seem to be a normal registration form and download files that are infected by OilRig's surveillance malware. •  Control & Command - OilRig now has access to the computers with Helminth malware infections and has gathered the basic information of their victims because people registered and downloaded files from the bogus websites. •  Initial Impact - Utilization of the End Host: OilRig considered gathering personal data through the fictitious Oxford website they developed. •  Secondary Impact on Credibility: Oxford University's reputation will undoubtedly suffer as a result of the fake website's use of their name and other identifiers. •  Second-order effects on perception and information: Everyone who provided personal information and registered on the fictitious Oxford websites would now choose different universities to be affiliated with, which is a regrettable development. FINAL PROJECT - OILRIG BY: CESAR MURILO RIBEIRO
  • 9. Attack 3 - Attack by the OilRig on Samba Financial Group and Al Elm •  According to a 2017 Forbes article, the group started conducting phishing attacks in May 2016 from servers owned by Saudi Arabian contractor and IT security Al-Elm. The email was inserted into a discussion between Saudi Arabian lender Samba Financial Group and Al-Elm. The email had an Excel attachment called "notes.xls," which when opened by the recipient would launch a Helminth surveillance kit from OilRig. •  In the case of Al-Elm, analysis of the phishing emails' headers revealed that they originated from within the sender's company and that "the threat actor previously compromised those organisations," according to SecureWorks intelligence analyst Allison Wikoff. FINAL PROJECT - OILRIG BY: CESAR MURILO RIBEIRO
  • 10. Attack 3 •  Reconnaissance - Here, the Samba Financial Group is highlighted, which reported a profit of $290 million for the most recent quarter of the previous year. •  Weaponization -The OilRig group decided to use Al-"previously Elm's compromised" network to communicate with Samba Financial Group. •  Delivery - Al-Elm and Samba Financial Group exchanged emails, and one of them contained the OilRig's • Helminth spying programme. •  Installation and Exploitation: After the email has been sent, anyone who opens the "notes.xls" excel attachment will have the Helminth surveillance kit installed on their computer. •  Control & Command - After opening the email, everything might appear to be in order, but OilRig has installed the surveillance kit, giving them access to that computer and perhaps the company's network. •  Initial Impact - Use of the End Host: OilRig sent emails containing Helminth surveillance kits to Al-Elm Security and Samba Financial Group through phishing attacks. •  Secondary effects on reputational damage and remediation Remediation: Depending on how badly it was affected, the infected devices from both ends would now be scanned, cleaned, and possibly replaced. Reputation: Threat actors should be prevented from interfering with IT security companies' client relationships, which will have an impact on those companies' reputations. •  Second-order effects on perception and information: Due to the phishing emails sent, both businesses will now proceed with great caution when creating new business alliances. FINAL PROJECT - OILRIG BY: CESAR MURILO RIBEIRO
  • 11. Attack 4 - Attack by oil rig on job seekers •  The cyber intelligence firm SecureWorks, which refers to the OilRig crew as Cobalt Gypsy, asserts in the same report from the earlier incident that the group has been sending emails containing malware from legitimate email addresses belonging to two Egyptian and one of the biggest IT service providers in Saudi Arabia, the National Technology Group, and the National Technology Group. •  These email addresses were used to send emails to an unnamed Middle Eastern organization with links to job offers. The attachments contained PupyRAT, an open-source remote access trojan (RAT) that works on Android, Linux, and Windows platforms. FINAL PROJECT - OILRIG BY: CESAR MURILO RIBEIRO
  • 12. Attack 4 •  Reconnaissance - The OilRig intended to attack an unnamed entity, but they decided to go after the Middle East instead. •  Weaponization - OilRig Group decided to send a malicious email using National Technology Group, a Saudi Arabian IT supplier, and ITWorx, an Egyptian IT service provider. •  Delivery - OilRig sent their victims alluring job offers via email accounts owned by IT firms. •  Installation and Exploitation - When recipients clicked on the email's link attachment, an opensource remote access trojan was waiting for them. •  Control & Command - After the link has been clicked, the malware will start to gather login information from the user and the computer. •  Initial Impact - Use of the End Host: OilRig sent emails to a range of targets that were infected with an open-source remote access trojan and contained links to job offers from reputable IT companies. •  Reputational consequences as a byproduct: - Candidates should think twice before accepting a position with an IT company, even though the job offers might be legitimate now that they can track the PupyRAT's origin and link it to their own devices. •  Effect of second order on information and perception: The companies run the risk of developing a negative reputation for monitoring both past and present customers. FINAL PROJECT - OILRIG BY: CESAR MURILO RIBEIRO
  • 13. •Attack 5 • Reconnaissance - The OilRig believes that because Israel is their intended target, attacking IT vendors will assist them in breaking into crucial networks. • Weaponization -It's a given that OilRig already has access to hacked user accounts from different Israeli IT • vendors. •  Delivery - In an email to the vendors, the group poses as a real customer and requests assistance. •  Installation and Exploitation - The victim is then prompted to download a Juniper VPN in order to continue when they attempt to access the user's account using the provided credentials. They include their trustworthy Juniper VPN along with the spying malware Helminth. •  Control & Command - OilRig would then have access to the device and many other client/customer emails that utilise their services after a successful installation. •  Initial Impact - Utilization of the End Host: OilRig disguised themselves as customers who needed help because they were interested in breaking into Israeli networks. •  Secondary Impact on Cleanup: Remediation - Some employees of the company may have carried out the threat actor's instructions because it is their responsibility to maintain customer satisfaction. As a result, businesses may need to inspect, maintain, or upgrade their equipment. •  Effect of second order on information and perception: People who use the VPN may be concerned that their devices have the surveillance malware Helminth because it is connected to a legitimate Juniper VPN. FINAL PROJECT - OILRIG BY: CESAR MURILO RIBEIRO
  • 14. Not all hackers represent a strategic problem for policy makers. How would you characterize your threat actor, are they chiefly a private problem for businesses or a public concern for policy makers? How should policy makers respond? • The range of OilRig's targets makes them an Advanced Persistent Threat (APT). Their primary activity is espionage; instead of erasing or altering anything they gain access to, they simply sit back and relax while their Helminth malware completes its work. They have used compromised email to obtain stolen information for the majority of their espionage operations. Targeting private industries is something OilRig is interested in doing, and they use mostly subtle methods like phishing. They pose a clear threat to businesses, but because these organisations have connections with both private and public institutions, one email could give them access to apowerful corporation or government office, making them both a private issue and a public one. They pose a clear threat to businesses, but because these organisations are connected to both private and public institutions, one email could give them access to a powerful corporation or government office, making them a problem for both individuals and the general public. The best course of action would be to impose more economic sanctions since OilRig has been identified as an Iranian threat actor. FINAL PROJECT - OILRIG BY: CESAR MURILO RIBEIRO
  • 15. •Not all hackers represent a strategic problem for policy makers. How would you characterize your threat actor, are they chiefly a private problem for businesses or a •public concern for policy makers? How should policy makers respond? • The amount of pressure that one nation could exert on Iran to make good on any harm caused by cyber espionage was limited. It is feasible, but it could take a very long time, and once any secrets are compromised, they cannot be replaced. If Iran agrees or if other nations share their concerns, policymakers could work together to craft treaties that would penalise and deter threat actors from coming from Iran. There should be clear punishments for any cyber-related activities, such as espionage, coming from any group that could be traced back to or is supported by Iran, rather than financial incentives, if a group of nations wants to rewrite the Iran Nuclear Deal in the •future. FINAL PROJECT - OILRIG BY: CESAR MURILO RIBEIRO