APT34 (OilRig)
from Not Simon 🐐
Country: Islamic Republic of Iran Organization: Ministry of Intelligence and Security (MOIS) Objective: Espionage, Sabotage (Page last updated September 12, 2024)
Aliases (sorted alphabetically):
- APT34 (Check Point Research, FireEye, Intezer, NSFOCUS, Trend Micro)
- CHRYSENE (Dragos)
- Cobalt Gypsy (Secureworks) (primary)
- Cobalt Lyceum (Secureworks)
- Crambus (Symantec)
- Europium (previously used by Microsoft)
- Greenbug (ClearSky, Symantec)
- Hazel Sandstorm (Microsoft)
- Helix Kitten (CrowdStrike, Wikipedia)
- HEXANE (Dragos) (linked to Lyceum by Kaspersky)
- ITG13 (IBM)
- Lyceum (Kaspersky, Secureworks)
- OilRig (ClearSky, Cyble, EDTA, ESET, Kaspersky, Malpedia, MITRE, Unit 42)
- TA452 (Proofpoint)
- TG-2889 (formerly used by Secureworks)
- Yellow Maero (PwC
Sub-group:
- DEV-0842 (Microsoft)
- DEV-0861 (Microsoft) / Scarred Manticore (Check Point Research)
- DEV-0166 (Microsoft) / IntrudingDivisor (Unit 42)
- DEV-0133 (Microsoft)
Known Associates
- Mojtaba Mostafavi. Source: U.S. Treasury (linked by PwC, via Lab Dookhtegan leaks)
- Farzin Karimi Mazlganchai: PwC
Vulnerabilities Exploited
- CVE-2019-0604 (CVE, NVD. CVSSv3.1: 9.8 critical, in CISA's KEV Catalog) Microsoft SharePoint Remote Code Execution Vulnerability Source: Microsoft
- CVE-2017-11882 (CVE, NVD. CVSSv3.1: 7.8 high, in CISA's KEV Catalog) Microsoft Office Memory Corruption Vulnerability Source: Mandiant
- CVE-2017-0199 (CVE, NVD, CVSS3v1: 7.8 high, in CISA's KEV Catalog) Microsoft Office and WordPad Remote Code Execution Vulnerability Source: Unit 42
Tactics, Techniques, and Procedures (TTPs)
- Enterprise TTPs mapped to MITRE ATT&CK Navigator Layers
- Industrial Control System (ICS) TTPs mapped to MITRE ATT&CK Navigator Layers
Known Tools Used
As listed by MITRE
References
Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.
Links (Sorted in Chronological Order)
2024
- September 11, 2024 – Check Point Research: Targeted Iranian Attacks Against Iraqi Government Infrastructure
2023
- December 20, 2023 – Security Scorecard: A detailed analysis of the Menorah malware used by APT34
- December 14, 2023 – ESET: OilRig’s persistent attacks using cloud service-powered downloaders
- October 31, 2023 – Check Point Research: From Albania to the Middle East: The Scarred Manticore is Listening (AFFILIATED WITH MOIS)
- October 19, 2023 – Symantec: Crambus: New Campaign Targets Middle Eastern Government
- September 29, 2023 – Trend Micro: APT34 Deploys Phishing Attack With New Malware
- September 21, 2023 – ESET: OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes
- August 30, 2023 – NSFOCUS: APT34 Unleashes New Wave of Phishing Attack with Variant of SideTwist Trojan
- May 09, 2023 – ESET: ESET APT Activity Report Q4 2022–Q1 2023, specifically on page 8 in PDF (PDF)
- May 08, 2023 – Kaspersky: Kaspersky experts warn of increased IT supply chain attacks by OilRig APT in the Middle East and Turkiye
- February 02, 2023 – Trend Micro: New APT34 Malware Targets The Middle East
2022
- September 08, 2022 – Microsoft: Microsoft investigates Iranian attacks against the Albanian government (ATTRIBUTION TO MOIS)
- May 10, 2022 – Malwarebytes: APT34 targets Jordan Government using new Saitama backdoor
2021
- October 18, 2021 – Kaspersky: Lyceum group reborn
- April 08, 2021 – Check Point Research: Iran’s APT34 Returns with an Updated Arsenal
2020
- July 22, 2020 – Unit 42: OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory
- May 19, 2020 – Symantec: Sophisticated Espionage Group Turns Attention to Telecom Providers in South Asia
- March 02, 2020 – Telsy: APT34 (aka OilRig, aka Helix Kitten) attacks Lebanon government entities with MailDropper implants
- January 30, 2020 – Intezer: New Iranian Campaign Tailored to US Companies Utilizes an Updated Toolset
2019
- December 17, 2019 – Kaspersky: OilRig’s Poison Frog – old samples, same trick
- December 04, 2019 – IBM: New Destructive Wiper ZeroCleare Targets Energy Sector in the Middle East
- November 09, 2019 – NSFOCUS: APT34 Event Analysis Report
- August 27, 2019 – Secureworks: LYCEUM Takes Center Stage in Middle East Campaign
- July 18, 2019 – FireEye: Hard Pass: Declining APT34's Invite to Join Their Professional Network
- July 16, 2019 – BGD e-GOV CIRT (Bangladesh): [DNSPIONAGE] – FOCUS ON INTERNAL ACTIONS
- May 15, 2019 – Proofpoint: Threat Actor Profile: TA542, From Banker to Malware Distribution Service
- May 06, 2019 – NSFOCUS: Analysis of File Disclosure by APT34
- April 30, 2019 – Unit 42: Behind the Scenes with OilRig
- April 16, 2019 – Unit 42: DNS Tunneling in the Wild: Overview of OilRig’s DNS Tunneling
2018
- November 27, 2018 – Cisco Talos: DNSpionage Campaign Targets Middle East (attributed by FireEye on July 18, 2019)
- November 16, 2018 – Unit 42: Analyzing OilRig's Ops Tempo from Testing to Weaponization to Delivery
- September 12, 2018 – Unit 42: OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government
- September 04, 2018 – Unit 42: OilRig targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE
- July 25, 2018 – Unit 42: OilRig Targets Technology Service Provider and Government Agency with QUADAGENT
- February 23, 2018 – Unit 42: OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan
- February 23, 2018 – Booz Allen: Researchers Discover New variants of APT34 Malware
- January 25, 2018 – Unit 42: OilRig uses RGDoor IIS Backdoor on Targets in the Middle East
2017
- December 15, 2017 – Unit 42: Introducing the Adversary Playbook: First up, OilRig
- December 11, 2017 – Unit 42: OilRig Performs Tests on the TwoFace Webshell
- December 07, 2017 – FireEye: New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit
- November 08, 2017 – Unit 42: OilRig Deploys “ALMA Communicator” – DNS Tunneling Trojan
- October 24, 2017 – ClearSky: Iranian Threat Agent Greenbug Impersonates Israeli High-Tech and Cyber Security Companies
- October 09, 2017 – Unit 42: OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan
- September 26, 2017 – Unit 42: Striking Oil: A Closer Look at Adversary Infrastructure
- August 28, 2017 – ClearSky: Recent ISMAgent Samples and Infrastructure by Iranian Threat Group GreenBug
- July 27, 2017 – Unit 42: OilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat Group
- July 27, 2017 – Secureworks: The Curious Case of Mia Ash: Fake Persona Lures Middle Eastern Targets
- April 27, 2017 – Unit 42: OilRig Actors Provide a Glimpse into Development and Testing Efforts
- March 31, 2017 – LogRhythm Labs: OilRig Campaign Analysis (PDF, TLP:WHITE)
- February 15, 2017 – Secureworks: Iranian PupyRAT Bites Middle Eastern Organizations
- January 05, 2017 – ClearSky: Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford
2016
- October 04, 2016 – Unit 42: OilRig Malware Campaign Updates Toolset and Expands Targets
- May 26, 2016 – Unit 42: The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor
2015
- October 07, 2015 – Secureworks: Hacker Group Creates Network of Fake LinkedIn Profiles
Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat