Attacks believed to be Iranian in origin were fended off for more than two weeks in April, but security experts examining the code detected something they'd never seen before: snippets of code baring similarities to a known Russian toolkit available on the underground Russian marketplace.
The code had previously been used in a damaging cyber-attack on the Ukraine's infrastructure in 2015.
Carl Wright, general manager and executive vice president of worldwide sales at TrapX Security, the San Mateo, California-based security firm that blocked the hackers last month, told an interviewer it was the first time his firm had detected an attack where hackers based in Iran were collaborating with Russian hackers-for-hire, according to an article in the New York Times.
Wright could not reveal the target of the attack owing to a confidentiality arrangement. But other security experts said the attackers could have purchased the Russian toolkit from an online forum and customised it for their campaign.
This hypothesis is countered by TrapX researchers, however, who noted that a number of "web domains used in the attack had been registered to a Russian alias, and that three email addresses continue to be used by a hacker in Russian hacking forums and in the underground web."
The Iranian attackers behind the latest campaign, dubbed OilRig for their previous attacks on oil companies in Saudi Arabia and Israel, have been expanding their geographical range with hundreds of new attacks targeting a number of military, financial and energy companies in Europe as well as the United States, the Times reported.
Nearly three-quarters of the code employed in the latest campaign was previously used by OilRig in hundreds of attacks on other enterprises, including government agencies and oil companies.
But, as the defences of the newest target became more robust and the attackers evolved their tactics, the security researchers noted new weapons in their arsenal: a typical hacker's kit, used to siphon out data, such as to steal usernames and passwords; but, more revealing, a tool never before detected in an OilRig campaign.
This was obfuscated with encryption to evade security investigators. After weeks spent decrypting the code, the researchers at TrapX determined that besides code similar to that used by OilRig in prior attacks, the bad actors were employing malware called BlackEnergy, also used previously, specifically by the Russian hackers who attacked the Ukraine power grid. Further, data was being transferred from the target to a server also used in the Ukraine attack.
TrapX lured the miscreants to inject their malware onto a server, which was then analysed by the TrapX team who were able to then shut the attackers out of their client's system.