Full Report
The group has been operating since at least 2017, initially breaching systems belonging to the Kurdistan Regional Government and have expanded their reach to the Central Government of Iraq as well as a telecommunications provider in Uzbekistan.
Analysis Summary
# Threat Actor: BladedFeline (Suspected OilRig Subgroup)
## Attribution & Identity
Believed to be a subgroup of the Iranian state-backed threat actor **OilRig** (also tracked as APT34 or Hazel Sandstorm). Attribution is made by ESET researchers.
## Activity Summary
BladedFeline has been operating since at least 2017, conducting a long-running cyberespionage campaign. Initial activity involved breaching systems belonging to the Kurdistan Regional Government (KRG). The group has since expanded its reach to target the central Government of Iraq and a telecommunications provider in Uzbekistan. The group's overarching objective appears to be spying on and potentially manipulating entities related to Kurdish diplomatic relations and Iraq's oil reserves, as well as countering Western influence.
## Tactics, Techniques & Procedures
- **Initial Access:** Believed to exploit vulnerabilities in internet-facing servers.
- **Persistence/C2:** Use of webshells (Flog) to maintain control.
- **Malware Deployment:** Utilizing multi-staged toolkits including backdoors.
- **Communication:** One identified tool (Whisper) communicates via email attachments sent through compromised Microsoft Exchange webmail accounts.
- [No specific MITRE ATT&CK IDs were provided in the text.]
## Targeting
- Sectors: Government (including diplomatic officials), Telecommunications.
- Geography: Iraq, Kurdistan region (KRG), Uzbekistan.
- Victims: Kurdistan Regional Government (KRG), Central Government of Iraq, A telecommunications provider in Uzbekistan.
## Tools & Infrastructure
- **Malware families used:**
- Shahmaran (simple backdoor allowing file operations and command execution)
- Whisper (communicates via compromised Exchange webmail)
- PrimeCache (bears similarities to the OilRig backdoor RDAT)
- Flog (webshell used for maintaining control)
- **Infrastructure (C2, domains, IPs):** No specific C2 domains or IPs were defanged/listed in the summary text.
## Implications
BladedFeline presents a persistent, state-sponsored cyberespionage threat focused on politically and economically sensitive targets in the Middle East (Iraq, Kurdistan). Their evolution and continued development of their malware arsenal suggest a long-term commitment to espionage against regions where Iran seeks to counter Western influence or gain intelligence on strategic resources (oil). Their association with OilRig suggests potential overlap in operational methodologies, including potential supply chain targeting observed in the parent group.
## Mitigations
- Patch and secure internet-facing servers to prevent initial access via exploitation.
- Monitor for the use of known malware families (Shahmaran, Whisper, PrimeCache).
- Implement stringent monitoring of Microsoft Exchange webmail environments for suspicious outbound communication patterns, especially related to attachment transfers.
- Organizations should be aware of the group's focus on critical infrastructure and government networks within the region.