APT34, a notorious Iranian cyber threat group, has once again resurfaced with a new attack strategy. This time, they have launched a supply chain attack with the ultimate objective of infiltrating government targets within the United Arab Emirates (UAE). Security researcher Maher Yamout from Kaspersky’s EEMEA Research Center has shed light on the details of this attack.
The modus operandi adopted by APT34 involved using a deceptive IT job recruitment form to lure unsuspecting victims. The threat actors created a fake website that posed as an IT company based in the UAE. They then sent the malicious recruitment form to a specific target IT company. When the victim opened the seemingly legitimate document in order to apply for the advertised IT job, it led to the execution of info-stealing malware.
Yamout explained that this malware collected sensitive information and credentials, which enabled APT34 to gain access to the networks of the IT company’s clients. The attackers then proceeded to specifically target government clients by exploiting the victim IT group’s email infrastructure for command-and-control communication and data exfiltration. While Kaspersky couldn’t definitively verify the success of the government attacks due to limited downstream visibility, Yamout stated that they assessed with medium to high confidence that these attacks were indeed successful, based on APT34’s track record.
According to research conducted by Kaspersky, the malware samples utilized in this UAE campaign bear striking similarities to those used in a previous APT34 supply chain intrusion in Jordan. In both cases, the threat actors employed comparable tactics, techniques, and procedures (TTPs), with a specific focus on targeting government entities. Yamout suspected that LinkedIn may have been exploited as a delivery mechanism for the job form, mimicking the recruitment efforts of an IT company.
The use of a job recruiter stratagem is not uncommon in the world of cyberattacks. In fact, it has been employed by various cybercriminal outfits over the years. The Lazarus group, associated with North Korea, has utilized this tactic on multiple occasions, as have other cyberattackers posing as military recruiters.
APT34, also known as OilRig, is an Iranian threat group that primarily operates in the Middle East. Their targets span a wide range of industries within the region. The group has been previously linked to other cyber-surveillance activities, such as an attack on the UAE earlier this year. APT34 is known for its preference for supply chain attacks, leveraging the trust established between organizations to target their primary objectives. The group carefully selects specific organizations for strategic purposes.
Mandiant, a cybersecurity firm, has conducted extensive research on APT34 and determined that the group has been active since at least 2014. They employ a combination of publicly available and customized tools, often using spear-phishing techniques coupled with compromised accounts and social engineering tactics. Mandiant’s report stated that “we assess that APT34 works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.” This assessment was reinforced by the US government’s decision to impose sanctions on Iran last year as a result of APT34’s activities.
As APT34 strikes once again, it becomes evident how cyber threats originating from state-sponsored threat groups continue to pose a significant challenge to governments and organizations worldwide. The ability of these threat actors to adapt and evolve their attack techniques necessitates constant vigilance and proactive cybersecurity measures to mitigate the risks they pose.