VERY IMPORTANT

Gaining insight into an adversary’s operational tempo in the early phases of the attack lifecycle can be very difficult. Typically, there are far fewer data points available to analyze in the reconnaissance and weaponization phases for a researcher to use to determine how quickly an adversary operates prior to direct interaction with a target in the delivery phase. While continuing research on the August 2018 attacks on a middle eastern government that delivered BONDUPDATER, Unit 42 researchers observed OilRig’s testing activities and with high confidence links this testing to the creation of the weaponized delivery document used in this attack.