Azerbaijan probes reported cyberattack on oil and gas company

Azerbaijan’s Computer Incident Response Centre has carried out reconnaissance and technical analysis following reports that the APT (Advanced Persistent Threat) group FamousSparrow, allegedly linked to China, conducted a multi-stage cyberattack targeting a company in the country’s oil and gas sector.

According to information provided by the agency to Caliber.Az, the reported attack scenario indicated that the attackers gained initial access by exploiting the ProxyShell and ProxyNotShell vulnerabilities in Microsoft Exchange Server. They then deployed a web shell within the system to establish persistent access. At later stages, the attackers allegedly used DLL sideloading techniques to deploy the Deed RAT and TernDoor malware.

Despite these reports, a detailed analysis conducted within the AzStateNet segment found no evidence of FamousSparrow activity. Specialists examined file hashes, domains, URLs, and other indicators of compromise associated with the alleged attack vector. Queries based on domain indicators were also carried out across the AzStateNet network.

Based on the technical indicators linked to the reported attack, preventive blocking measures were implemented, and additional restrictions were enforced through security systems.

The Computer Incident Response Centre also issued recommendations to state institutions, urging them to investigate suspicious outbound connections and anomalous activity, and to promptly notify relevant authorities if any signs of compromise are detected. It further advised conducting checks related to the domains sentinelonepro[.]com:443 and virusblocker[.]it[.]com:443, maintaining both retrospective and real-time monitoring of IOC indicators, and carrying out additional analysis of Microsoft Exchange infrastructure and authentication logs.

By Tamilla Hasanova