Cyber Incident Victim: AI Squared
Date:
Jan 2016
Location:
United States of America
Summary
A Vermont-based assistive technology company became an unexpected victim of Iranian state-sponsored cyberespionage when its digital certificates were stolen by the OilRig hacking group. The attackers weaponized these certificates to disguise their Helminth malware, distributing it through phishing campaigns impersonating Oxford University job offers and conference registrations, as well as compromised email accounts from entities like Turkish Airlines and Saudi Arabian IT suppliers. This enabled unauthorized access to systems across multiple Middle Eastern, European, and U.S. organizations, including government agencies and financial institutions, facilitating data theft and persistent surveillance. The incident demonstrated Iran's shift toward stealthy cyber operations targeting foreign private sector entities alongside traditional diplomatic targets.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The AI Squared incident began in January 2017 when the Vermont-based accessibility software company received a notification from Symantec warning that its digital certificates had been compromised. These certificates, designed to authenticate the legitimacy of AI Squared’s products, were stolen by Iranian state-sponsored hackers known as OilRig and weaponized to sign their malicious tools. Security researchers from ClearSky identified OilRig’s use of the stolen certificates in November 2016 to distribute malware disguised as legitimate documents hosted on two fraudulent Oxford University websites—one posing as a job recruitment portal and the other as a conference registration page. Visitors who downloaded the offered files, including a fabricated CV creator tool, inadvertently executed OilRig’s Helminth malware, enabling remote system control and data exfiltration. AI Squared became the first confirmed private U.S. business targeted by OilRig, reflecting Iran’s strategic shift toward infiltrating foreign commercial entities alongside traditional government and diplomatic targets.
OilRig leveraged the stolen certificates to conduct broader phishing campaigns across multiple sectors and regions. In July 2016, the group impersonated Turkish Airlines to send credential-harvesting emails to three Turkish foreign ministry officials, including a UN mission adviser in New York and embassy staff in Latvia. A May 2016 attack hijacked an email thread between Saudi Arabian contractor Al-Elm and Samba Financial Group, inserting a malicious Excel attachment (“notes.xls”) containing Helminth. SecureWorks documented additional January 2017 activity where OilRig—operating as “Cobalt Gypsy”—compromised email accounts at Saudi Arabia’s National Technology Group and Egypt’s ITWorx to distribute PupyRAT malware via fake job offers. While Symantec alerted AI Squared to the certificate compromise, the Iranian attribution emerged later through investigative reporting and security analyses. Neither AI Squared nor most targeted entities publicly confirmed data breaches, though OilRig’s actions demonstrated persistent access to critical infrastructure, enabling prolonged espionage. U.S. intelligence analysts monitored the group’s evolution amid geopolitical tensions following Iran’s denial of involvement in prior cyberattacks against American financial institutions.