APT34 Activity Targets Critical Infrastructure

Researchers at FireEye have detailed the activity of a cyber-espionage group they dubbed “APT34” after observing a threat actor using an exploit for the Microsoft Office memory corruption vulnerability CVE-2017-11882 patched by Microsoft on November 14, 2017. Researchers believe the threat actors are Iran-based, either working directly for the Iranian government or as contractors, selling their access to various networks of interest, and loosely align with a group commonly referred to as “OilRig.” APT34 works towards the interests of the Iranian government and largely focuses on reconnaissance activity targeting organizations in the financial, government, energy, chemical, and telecommunications sectors in the Middle East. APT34 uses a variety of tools and tactics, including public and non-public backdoors, and spear-phishing operations using compromised accounts to gain access to additional networks. The latest campaign leverages CVE-2017-11882 to deploy a PowerShell-based backdoor, POWRUNER, and a downloader with domain generation algorithm (DGA) functionality, BONDUPDATER. Additionally, FireEye attributes two previously reported cyber operations to APT34: A May 2015 spear-phishing campaign that used malicious attachments to distribute the POWBAT malware to banks in the Middle East; and a July 2017 incident that used malicious .rtf files exploiting the Microsoft Office/WordPad remote code execution vulnerability CVE-2017-0199 to deliver POWRUNER and BONDUPDATER to a Middle East organization. APT34 operations, along with APT33 activity, highlight Iran’s added efforts and resources dedicated to increasing cyber-espionage activity and its effectiveness. The group’s targeting of critical infrastructure sectors is especially concerning as access could possibly be used for future disruptive or destructive operations. The NJCCIC recommends critical infrastructure sector organizations review the FireEye report for additional technical details and scan their networks for malicious activity using the Indicators of Compromise (IoCs) provided to determine if malicious activity associated with APT34 was observed within their network. If detected, this activity should be given the highest priority for mitigation and reported to the NJCCIC as soon as possible.