Source Code of Iran-Linked Hacking Tools Posted Online (Apr 22, 2019)
A group of threat actors, believed to be Iranian, called "Lab Dookhtegan" allegedly leaked information and tools of an Iranian Ministry of Intelligence-linked Advanced Persistent Threat (APT) group, "APT34," also known as "OilRig." Lab Dookhtegan began leaking tools, domain names, IP addresses, and information obtained from APT34 victims since March 26, 2019. The group behind the leak stated that they were wanting to destroy OilRig for unknown reasons, which included allegedly erasing the servers of the APT group.
Recommendation: Defence-in-depth (layering of security mechanisms, redundancy, fail-safe defence processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spear phishing and how to identify such attempts. The leak of APT tools may result in other, potentially less-sophisticated actors, utilising the leaked tools to conduct malicious activity.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.