Full Report
An Iran-aligned hacking group has been attributed to a new set of cyber attacks targeting Kurdish and Iraqi government officials in early 2024. The activity is tied to a threat group ESET tracks as BladedFeline, which is assessed with medium confidence to be a sub-cluster within OilRig, a known Iranian nation-state cyber actor. It's said to be active since September 2017, when it targeted
Analysis Summary
# Threat Actor: BladedFeline
## Attribution & Identity
* **Attribution:** Iran-aligned hacking group, assessed with medium confidence to be a sub-cluster within **OilRig** (an Iranian nation-state cyber actor).
* **Aliases/Associations:** Suspected sub-cluster of OilRig. Distinguished from another cluster, Lyceum.
## Activity Summary
* **Historical Activity:** Active since September 2017, initially targeting officials associated with the Kurdistan Regional Government (KRG).
* **Recent Campaigns (Early 2024):** Targeted Kurdish and Iraqi government officials.
* **Other Noteworthy Activity:** Compromised a regional telecommunications provider in Uzbekistan (potentially as early as May 2022). Attacks observed in Q4 2023/Q1 2024 focused on Iraqi government organizations, diplomatic envoys, and governmental organizations in Azerbaijan.
## Tactics, Techniques & Procedures
* **Initial Access (Suspected):** Likely leveraged a vulnerability in an internet-facing application to break into Iraqi government networks.
* **Persistence/C2:**
* Deployment of Flog web shell for persistent remote access.
* Use of bespoke backdoors: Shahmaran (simple backdoor), Whisper (aka Veaty), Spearal, and Optimizer.
* Use of tunneling tools: Laret and Pinar.
* Deployment of PrimeCache, a malicious IIS module acting as a passive backdoor that processes commands via matching HTTP requests/cookie headers.
* Use of Slippery Snakelet (Python implant) for command execution, file downloads/uploads.
* Whisper utilizes a compromised Microsoft Exchange webmail account for C2 via email attachments.
* Spearal utilizes DNS tunneling for C2.
* Use of Hawking Listener (early-stage implant) listening on a specified port for command execution via "cmd.exe".
* **Evidence of Link to OilRig:** Discovery of OilRig tools (RDAT and VideoSRV) on a compromised KRG system in 2017/2018. PrimeCache bears similarities to OilRig's RDAT backdoor.
## Targeting
* **Sectors:** Government, Diplomatic/Embassies, Telecommunications.
* **Geography:** Iraq, Kurdistan Regional Government (KRG), Azerbaijan, Uzbekistan.
* **Victims:** Kurdish and Iraqi government officials, diplomatic envoys from Iraq, KRG governmental organizations, a regional telecommunications provider in Uzbekistan.
## Tools & Infrastructure
* **Malware Families Used:** Shahmaran, Whisper (Veaty), Spearal, Optimizer, Slippery Snakelet, Hawking Listener.
* **Web Shells/Modules:** Flog (web shell), PrimeCache (malicious IIS module).
* **Tunneling Tools:** Laret, Pinar.
* **Infrastructure:** C2 communication via remote servers (Shahmaran), email attachments (Whisper), DNS tunneling (Spearal). (No explicit URLs/IPs provided in the text to defang, beyond tool descriptions).
## Implications
* **Motivation:** Cyber espionage aimed at gathering diplomatic and financial information, maintaining strategic access to high-ranking officials in the KRG and Iraq.
* **Strategic Objectives:** Spying on the KRG due to its diplomatic ties with Western nations and oil reserves; countering Western government influence in Iraq following the US invasion.
## Mitigations
* Focus on securing internet-facing applications against likely vulnerability exploitation.
* Monitor for the deployment and activity of the identified backdoors, particularly file/directory manipulation via custom implants.
* Monitor Microsoft Exchange environments for suspicious remote access/C2 via encrypted attachments.
* Monitor for non-standard C2 via DNS tunneling (Spearal).
* Inspect IIS environments for unauthorized malicious modules like PrimeCache or suspicious HTTP request handling.