Welcome back to the Cyber Resilience Brief, a SafeBreach podcast. I’m Tova Devoren, your host. And with me is Adrienne Culley, my cohost and a resident offensive cybersecurity engineer here at SafeBreach. In our last two episodes, we looked at the history and the command structure of Iranian cyber. Today, we’re getting into the specific groups that keep CISOs in the energy and aviation sectors awake at night. Hi to all of our listeners, and thank you for joining us again. Today is going to be all about the heavy hitters. We’re looking at the industrial espionage giants, the groups that don’t just want to disrupt. They want to steal the blueprints of the modern world. That’s right. We’re talking about APT thirty three, Oil Rig, and Muddy Water. It’s clear that these groups have undergone a massive technical blow up in the last year. They really have, Tova. They’ve moved away from script kiddie tactics to high end stealthy operations that mimic the most advanced threat actions on the planet, that are the most advanced threat actions on the planet. That’s right. And let’s start with the big one, APT thirty three, also known as Elfin or Magnelium. Hope I’m pronouncing that right. If you’re in aerospace or oil and gas, this is your primary adversary. Exactly. APT thirty three is the IRGC’s preferred tool for intellectual property threat theft. Their goal is simple. Iran is under heavy sanctions, so they can’t buy the latest turbine tech or drone schematics or whatever else sanctioned technology on the open market. So they send APT thirty three to go take it. They’re actually tasked with a collection plan, which is how all intelligence agencies worked, to aggressively target these industry sectors. I understand there was a massive breach in twenty twenty five involving a European aerospace firm. What was the smoking gun there? So the smoking gun tovah was the use of a tool called drop shot. It’s a sophisticated dropper that delivers a wiper called stone drill. But here’s the clever part. They didn’t lead with the wiper. They spent months exfiltrating engine schematics first. The wiper was just the cleanup crew to hide their tracks once they were done to destroy the evidence. Oh, that’s a far cry from the loud attacks we discussed in episode one of our Iranian series. It is. It’s espionage first, destruction second. And for a breach and attack simulation engineer like me, what’s interesting is their persistence. There’s a custom backdoor called turned up. We know that they updated this in late twenty twenty five to bypass specific behavioral heuristics in modern endpoint detection EDRs. So turned up is a Trojan. It tends to be sent via email interestingly, which is a bit of an anachronistic technique these days. We do have extensive coverage of the attack code. If you’re a SafeBreach customer, you’ll find it in the playbooks. Or if you run our oil rig scenario overall, it’s all embedded into there. But we have very detailed knowledge of the actual line by line offensive code that’s used when deploying the turned up backdoor. Okay. Thank you, Adrian, for that additional context. Now let’s pivot to oil rig or APT thirty four. While APT thirty three is global, oil rig feels much more surgical. Oil rig is the master of the Middle Eastern theater that they target government, finance, and telecommunications, primarily in the Gulf. But don’t let the regional focus fool you that their techniques are world class. Right. And their theme is for living off the land, aren’t they? Exactly. They love using DNS tunneling. Instead of connecting to a suspicious IP address, their malware hides stolen data inside standard DNS queries. To a traditional firewall, it just looks like your computer’s trying to find a website. It’s incredibly hard to spot without deep packet inspection or behavioral analysis. And they’ve been using a new loader called Quadigent lately. Right. They’re using it to target administrative accounts. Once they have those, they don’t need malware anymore. They just use the admin’s own PowerShell scripts to move through the network. This is where detection fails and validation becomes the only way to survive. Let’s talk about that validation. If I’m a security leader in a high stakes industry, how do I use the SafeBreach platform or other platforms like ours to stay ahead of an actor like Oilrig? So I would recommend, because it’s what I do, start with the Hacker’s Playbook. Our world class research and development team here at SafeBreach stays on top of current events and threat actors. You’d always see in our playbook section of our platform exactly what attack code’s been loaded in the last couple of days. When we see APT thirty three update the drop shot payload, we add that specific behavior to the SafeBridge playbook. And in other words, that means that I could run a Red Team style simulation of an APT thirty three attack with a single click. Exactly. Very precisely, Tova. You run the simulation, and the platform tells you exactly where the attack was blocked, and more importantly, where it wasn’t. But with continuous automated red teaming, KAAT, we take it a step further. We don’t just test the initial breach. We test the lateral movement. Right. Because if Oil Rig is living off of your land, then we need to find it where it lives. Exactly. If Oil Rig gets into your guest WiFi or a low security workstation, can’t we automatically try to find the path to your SCADA systems or your financial database using the same TTPs, tactics, techniques, and procedures, found in the wild. And as we’ve discussed before, it’s adversarial exposure validation, AAV, which helps you prioritize those results and see what to remediate first. Right, Topher. These approaches layer upon each other, and we’re refining as deliver this. If CART finds fifty path sensitive data, AEV will tell you these three paths are the ones Oil Rig is currently using in the wild. It turns a mountain of data into actionable to do list for your remediation team. It lets you prioritize your cyber order of battle. Yeah. I have to say that I think in all the research we’ve done in this podcast so far, we can agree that the security noise for most tools is just as problematic as the threat actors themselves. So it’s absolutely critical to have that prioritization. Not everything that can be counted counts, and not everything that counts can be counted, as I’ve said before. And this approach allows you to hone right into the highest risk that affects you directly and then deal with it. Well said. Well, we can’t leave out muddy water. They’ve become the MOIS’s offensive espionage wing, and their volume of attacks increased by over a hundred percent in twenty twenty five. So absolutely that, Tove. Muddy Wash is the volume player. They cast a wide net. They’ve been targeting US transportation and manufacturing sectors very heavily last year. They use a new C2 framework called Phony C2. It’s designed to look like legitimate cloud traffic, AWS, Azure, Google Cloud. So they’re hiding in the clouds that we use to run our businesses, or frankly, we used to run everything. Absolutely. They’ve gone for the path of least resistance. They’re hiding in plain sight, and that’s why exposure management is so critical. You can’t just block the bad clouds. You have to validate that your security stack can tell the difference between a legitimate AWS API call and a muddy water heartbeat. Never lose sight of why you have security controls in the first place. It’s to protect your assets and maintain production viability to stay in business. We are validating security controls to protect assets and ultimately protect the business by removing or reducing risk. And the cloud is full of risk. In short, the giants are getting smarter, stealthier, and more persistent. But, Adrian, as you always say, validation is the antidote to uncertainty. Don’t wait for the bridge to find out if your IP is safe. Run a simulation. Validate the exposure. Close the gap. Simulate and emulate those threat actors that are targeting you. And if you’re not sure about this, speak to us. We’ll help you. Absolutely. No, keep sorry. Stay tuned for next time where we’re moving from the machines to the humans. We’re talking about the social engineers, the actors who don’t hack your firewall, they hack you. Exactly, Toby. We’re going to be talking charming kitten in the next episode and how they use artificial intelligence to build relationships before they build a backdoor. You probably won’t want to miss that episode. Absolutely, Adrian. And until next time, stay safe. Stay safe with SafeBreach. Bye bye. The cyber resilience brief is the SafeBreach podcast. Executive produced by Adrian Cully and Tova Devoren. Music produced by Sar Jussner. Hosted, edited, and compiled on Riverside. For more about SafeBreach and how you can validate your security across your entire IT infrastructure, visit us at w w w dot safereach dot com. That’s w w w dot s a f e b r e a c h dot com.
