Rankiteo Logo
Rankiteo
Leader in Cyber Underwriting
Loading...
NEWRankiteo Cyber Underwriting Desktop - Score, price, and bind from your desktop
WindowsmacOSLinux
Download
Analyze » State Oil Company of the Republic of Azerbaijan (SOCAR) » SOCMIC1778768867

Incident Score: Analysis & Impact (SOCMIC1778768867)

The details regarding individual company incidents & reports gives you full view from every side.

Rankiteo Score Impact Analysis

Rankiteo Incident Impact+5
Company Score Before Incident760 / 1000
Company Score After Incident765 / 1000
INCIDENT NUMBERSOCMIC1778768867
Type of Cyber IncidentVulnerability
ATTACK VECTORExploitation of ProxyNotShell vulnerability in Microsoft Exchange
DATA EXPOSEDStrategic intelligence on European energy...
INCIDENT DATE24/12/2025
STATUSOngoing

Key Highlights From The Incident Analysis

  • Timeline of State Oil Company of the Republic of Azerbaijan (SOCAR)'s Vulnerability and lateral movement inside company's environment.
  • Overview of affected data sets, including SSNs and PHI, and why they materially increase incident severity.
  • How Rankiteo’s incident engine converts technical details into a normalized incident score.
  • How this cyber incident impacts State Oil Company of the Republic of Azerbaijan (SOCAR) Rankiteo cyber scoring and cyber rating.
  • Rankiteo’s MITRE ATT&CK correlation analysis for this incident, with associated confidence level.

Full Incident Analysis Transcript

In this Rankiteo incident briefing, we review the State Oil Company of the Republic of Azerbaijan (SOCAR) breach identified under incident ID SOCMIC1778768867.

The analysis begins with a detailed overview of State Oil Company of the Republic of Azerbaijan (SOCAR)'s information like the linkedin page: https://www.linkedin.com/company/socarofficial, the number of followers: 114072, the industry type: Oil and Gas and the number of employees: 4562 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 760 and after the incident was 765 with a difference of 5 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on State Oil Company of the Republic of Azerbaijan (SOCAR) and their customers.

On 28 February 2026, Major Azerbaijani oil and gas company disclosed Cyber Espionage issues under the banner "Chinese APT Group Targets Azerbaijani Energy Firm in Months-Long Espionage Campaign".

A Chinese state-aligned advanced persistent threat (APT) group, FamousSparrow, compromised a Microsoft Exchange server at a major Azerbaijani oil and gas company in a prolonged cyber-espionage operation.

The disruption is felt across the environment, affecting Microsoft Exchange server and Internal network systems, and exposing Strategic intelligence on European energy flows, internal network data.

Formal response steps have not been shared publicly yet.

The case underscores how Ongoing.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

MITRE ATT&CK® Correlation Analysis

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Exploit Public-Facing Application (T1190) with high confidence (95%), supported by evidence indicating exploited the ProxyNotShell vulnerability in Microsoft Exchange. Under the Execution tactic, the analysis identified Command and Scripting Interpreter: Windows Command Shell (T1059.003) with moderate to high confidence (80%), supported by evidence indicating aSPX web shells (e.g., key.aspx, log.aspx) served as C2 points and Exploitation for Client Execution (T1203) with moderate to high confidence (70%), supported by evidence indicating dLL sideloading chain abusing LogMeIn Hamachi service. Under the Persistence tactic, the analysis identified Server Software Component: Web Shell (T1505.003) with high confidence (90%), supported by evidence indicating deployed ASPX web shells (key.aspx, log.aspx) for persistence, Create or Modify System Process: Windows Service (T1543.003) with moderate to high confidence (70%), supported by evidence indicating dLL sideloading chain abused LogMeIn Hamachi service, and Exploitation for Privilege Escalation (T1068) with moderate confidence (60%), supported by evidence indicating kernel-mode driver (vmflt.sys) for rootkit-like persistence. Under the Privilege Escalation tactic, the analysis identified Exploitation for Privilege Escalation (T1068) with moderate to high confidence (80%), supported by evidence indicating kernel-mode driver (vmflt.sys) for rootkit-like persistence and Valid Accounts: Domain Accounts (T1078.002) with high confidence (90%), supported by evidence indicating stolen domain admin credentials used for lateral movement. Under the Defense Evasion tactic, the analysis identified Obfuscated Files or Information (T1027) with high confidence (90%), supported by evidence indicating custom XOR decryption and PRNG-based obfuscation in Deed RAT, Masquerading: Masquerade Task or Service (T1036.004) with moderate to high confidence (80%), supported by evidence indicating dLL sideloading chain abused LogMeIn Hamachi service, and Impair Defenses: Disable or Modify Tools (T1562.001) with moderate confidence (60%), supported by evidence indicating anti-analysis techniques to evade detection. Under the Credential Access tactic, the analysis identified OS Credential Dumping: Security Account Manager (T1003.002) with moderate to high confidence (70%), supported by evidence indicating stolen domain admin credentials used for lateral movement. Under the Discovery tactic, the analysis identified Account Discovery: Domain Account (T1087.002) with moderate to high confidence (80%), supported by evidence indicating lateral movement relied on RDP with stolen domain admin credentials and Network Service Discovery (T1046) with moderate to high confidence (70%), supported by evidence indicating impacket-based tools (atexec, smbexec) used for lateral movement. Under the Lateral Movement tactic, the analysis identified Remote Services: Remote Desktop Protocol (T1021.001) with high confidence (90%), supported by evidence indicating lateral movement relied on RDP with stolen domain admin credentials and Lateral Tool Transfer (T1570) with moderate to high confidence (80%), supported by evidence indicating impacket-based tools (atexec, smbexec) used for lateral movement. Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (90%), supported by evidence indicating strategic intelligence on European energy flows compromised. Under the Command and Control tactic, the analysis identified Application Layer Protocol: Web Protocols (T1071.001) with high confidence (90%), supported by evidence indicating aSPX web shells served as command-and-control (C2) points and Ingress Tool Transfer (T1105) with moderate to high confidence (80%), supported by evidence indicating deed RAT deployed via DLL sideloading chain. Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with high confidence (90%), supported by evidence indicating data exfiltration confirmed in espionage campaign. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.

Initial Access
Exploit Public-Facing Application (95%)
Execution
Command and Scripting Interpreter: Windows Command Shell (80%)
Exploitation for Client Execution (70%)
Persistence
Server Software Component: Web Shell (90%)
Create or Modify System Process: Windows Service (70%)
Exploitation for Privilege Escalation (60%)
Privilege Escalation
Exploitation for Privilege Escalation (80%)
Valid Accounts: Domain Accounts (90%)
Defense Evasion
Obfuscated Files or Information (90%)
Masquerading: Masquerade Task or Service (80%)
Impair Defenses: Disable or Modify Tools (60%)
Credential Access
OS Credential Dumping: Security Account Manager (70%)
Discovery
Account Discovery: Domain Account (80%)
Network Service Discovery (70%)
Lateral Movement
Remote Services: Remote Desktop Protocol (90%)
Lateral Tool Transfer (80%)
Collection
Data from Local System (90%)
Command and Control
Application Layer Protocol: Web Protocols (90%)
Ingress Tool Transfer (80%)
Exfiltration
Exfiltration Over C2 Channel (90%)

Sources & References