04:00 PM | 18 Apr 2019

DarkMatter Analysis of Recent APT34 Operations Exposure

Included in this data leak are several victims’ sensitive data


Abu Dhabi - 18 April, 2019 - DarkMatter Group, the region’s first and only fully integrated digital and cyber transformation firm, has released the first analysis of the major regional data leak reported earlier today on zdnet.com.

Alan White, VP xen1thLabs and Cyber Network Defence for DarkMatter Group said, “We’ve been analyzing this active situation since it was first reported a few hours ago. We’ve advised organizations in the region about what has happened and how it can potentially affect them, including some immediate steps they should consider taking.”

“This attack shows a particular focus on the region with more than 60 organizations in the Middle East and Africa impacted with a potential threat actor having a ‘command and control’ administration affecting webmail and home pages.  The attack is targeting usernames and passwords and the scale of this is significant and something we have not seen before in the region.”

“We are urging all organizations to take 3 fundamental actions:

  1. Look at the integrity of webservers and assess if there are signs of access with weblinks that should not be there.
  2. If you think your organization is at risk of having passwords compromised, take action to have passwords reset across the organization to safeguard data. If users are at risk with passwords being reused for their personal accounts, employees should also consider resetting their own accounts.
  3. If you determine that your organization is at risk, you should start full triage and initiate analysis focusing on how long the organization may have been exposed and what is at risk.”

Mr White also offered expert assistance from DarkMatter for organizations at risk saying, “We are ready to support organizations with triage services to help them validate if they have suffered a breach and give initial guidance on what to do next.

We are also ready to provide full service support so that affected organizations can initiate digital forensics on the impact of the threat.”

DarkMatter has set up a direct channel for organizations requiring expert assistance: contactus@darkmatter.ae

What we know about the situation so far:

What has happened?

Unknown actors have published a collection of files allegedly belonging to the Iranian-backed OILRIG campaign that detailed a list of compromised organizations mainly in the Middle East and Africa.

On 20 March 2019, a person with the handle MrL4nnist3r attempted to sell this data via advertising on public forums. Later on 26 March 2019, a Telegram user with the pseudonym Lab Dookhtegan posted these files on a Telegram channel.  The posted files include a list of credentials, webshells allegedly used by the OILRIG threat actors, and a list of sites with the deployed webshells.

Who is behind this attack?

Unknown actors published the files allegedly belonging to the Iranian-backed OILRIG campaign.

What is being done?

DarkMatter Group continues to analyze the threat actor and has reached out to organizations that may be impacted.



Back To Press Releases Listing