The article discusses monitoring infrastructure related to potential cyber operations set up by a threat group linked to APT34 (OilRig), focusing on a series of domains and servers impersonating academic and fictional organizations in Iraq and the UK. Observations on shared SSH keys, HTTP behaviors, and pre-operational staging provide insights for defenders to anticipate adversarial activities. Affected: APT34 (OilRig), academic institutions, technology firms, government agencies, NGOs
Keypoints :
- Domains and servers impersonating academic and tech organizations were tracked from November 2024 to April 2025.
- Infrastructure offers early warning signals for defenders before an actual attack.
- Shared SSH keys and unique HTTP behaviors were observed, indicating links to APT34 (OilRig).
- Domains registered showed patterns typically used for phishing and initial access preparation.
- Only one domain revealed live content, presenting inconsistent branding across various sites.
- Monitoring opportunities were highlighted for tracking future malicious infrastructure through unique technical signatures.
MITRE Techniques :
- Impair Defenses (TA0005): Use of fake infrastructure that impersonates trusted organizations to evade detection.
- Initial Access (TA0001): Utilization of domains resembling educational institutions for credential harvesting.
- Credential Access (TA0006): Setup of mail and webmail subdomains suggests potential for webmail impersonation.
Indicator of Compromise :
- [IP Address] 38.180.140.30
- [Domain] biam-iraq[.]org
- [Domain] plenoryvantyx[.]eu
- [SSH Fingerprint] 05ce787de86117596a65fff0bab767df2846d6b7fa782b605daeff70a6332eb0
- [Domain] zyverantova[.]eu
Full Story: https://hunt.io/blog/track-apt34-like-infrastructure-before-it-strikes