APT34 (OilRig)
Country: Islamic Republic of Iran Organization: Ministry of Intelligence and Security (MOIS) Objective: Espionage, Sabotage (Page last updated September 20, 2024)
Aliases (sorted alphabetically):
- APT34 (Check Point Research, FireEye, Intezer, NSA, NSFOCUS, Trend Micro)
- CHRYSENE (Dragos)
- Cobalt Gypsy (Secureworks) (primary)
- Cobalt Lyceum (Secureworks)
- Crambus (Symantec)
- Europium (previously used by Microsoft)
- Greenbug (ClearSky, Symantec)
- Hazel Sandstorm (Microsoft)
- Helix Kitten (CrowdStrike, Wikipedia)
- HEXANE (Dragos) (linked to Lyceum by Kaspersky)
- ITG13 (IBM)
- Lyceum (Kaspersky, Secureworks)
- OilRig (ClearSky, Cyble, EDTA, ESET, Kaspersky, Malpedia, MITRE, Unit 42)
- TA452 (Proofpoint)
- TG-2889 (formerly used by Secureworks)
- Yellow Maero (PwC
Sub-group:
- DEV-0842 (Microsoft) / Void Manticore (Check Point Research)
- DEV-0861 (Microsoft) / Scarred Manticore (Check Point Research) / UNC1860 (Mandiant)
- DEV-0166 (Microsoft) / IntrudingDivisor (Unit 42)
- DEV-0133 (Microsoft)
Known Associates
- Mojtaba Mostafavi. Source: U.S. Treasury (linked by PwC, via Lab Dookhtegan leaks)
- Farzin Karimi Mazlganchai: PwC
Vulnerabilities Exploited
- CVE-2019-0604 (CVE, NVD. CVSSv3.1: 9.8 critical, in CISA's KEV Catalog) Microsoft SharePoint Remote Code Execution Vulnerability Source: Microsoft
- CVE-2017-11882 (CVE, NVD. CVSSv3.1: 7.8 high, in CISA's KEV Catalog) Microsoft Office Memory Corruption Vulnerability Source: Mandiant
- CVE-2017-0199 (CVE, NVD, CVSS3v1: 7.8 high, in CISA's KEV Catalog) Microsoft Office and WordPad Remote Code Execution Vulnerability Source: Unit 42
Tactics, Techniques, and Procedures (TTPs)
- Enterprise TTPs mapped to MITRE ATT&CK Navigator Layers
- Industrial Control System (ICS) TTPs mapped to MITRE ATT&CK Navigator Layers
Known Tools Used
As listed by MITRE
References
Disclaimer: Not an exhaustive list of resources. Most contain actionable intelligence, not just news reporting.
Links (Sorted in Chronological Order)
2024
- September 19, 2024 β Mandiant: UNC1860 and the Temple of Oats: Iran's Hidden Hand in Middle Eastern Networks
- September 11, 2024 β Check Point Research: Targeted Iranian Attacks Against Iraqi Government Infrastructure
- May 20, 2024 β Check Point Research: Bad Karma, No Justice: Void Manticore Destructive Activities in Israel
2023
- December 20, 2023 β Security Scorecard: A detailed analysis of the Menorah malware used by APT34
- December 14, 2023 β ESET: OilRigβs persistent attacks using cloud service-powered downloaders
- October 31, 2023 β Check Point Research: From Albania to the Middle East: The Scarred Manticore is Listening (AFFILIATED WITH MOIS)
- October 19, 2023 β Symantec: Crambus: New Campaign Targets Middle Eastern Government
- September 29, 2023 β Trend Micro: APT34 Deploys Phishing Attack With New Malware
- September 21, 2023 β ESET: OilRigβs Outer Space and Juicy Mix: Same olβ rig, new drill pipes
- August 30, 2023 β NSFOCUS: APT34 Unleashes New Wave of Phishing Attack with Variant of SideTwist Trojan
- May 09, 2023 β ESET: ESET APT Activity Report Q4 2022ΒβQ1 2023, specifically on page 8 in PDF (PDF)
- May 08, 2023 β Kaspersky: Kaspersky experts warn of increased IT supply chain attacks by OilRig APT in the Middle East and Turkiye
- February 02, 2023 β Trend Micro: New APT34 Malware Targets The Middle East
2022
- September 08, 2022 β Microsoft: Microsoft investigates Iranian attacks against the Albanian government (ATTRIBUTION TO MOIS)
- May 10, 2022 β Malwarebytes: APT34 targets Jordan Government using new Saitama backdoor
2021
- October 18, 2021 β Kaspersky: Lyceum group reborn
- April 08, 2021 β Check Point Research: Iranβs APT34 Returns with an Updated Arsenal
2020
- July 22, 2020 β Unit 42: OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory
- May 19, 2020 β Symantec: Sophisticated Espionage Group Turns Attention to Telecom Providers in South Asia
- March 02, 2020 β Telsy: APT34 (aka OilRig, aka Helix Kitten) attacks Lebanon government entities with MailDropper implants
- January 30, 2020 β Intezer: New Iranian Campaign Tailored to US Companies Utilizes an Updated Toolset
2019
- December 17, 2019 β Kaspersky: OilRigβs Poison Frog β old samples, same trick
- December 04, 2019 β IBM: New Destructive Wiper ZeroCleare Targets Energy Sector in the Middle East
- November 09, 2019 β NSFOCUS: APT34 Event Analysis Report
- October 21, 2019 β National Security Agency: Turla Group Exploits Iranian APT To Expand Coverage Of Victims (PDF)
- August 27, 2019 β Secureworks: LYCEUM Takes Center Stage in Middle East Campaign
- July 18, 2019 β FireEye: Hard Pass: Declining APT34's Invite to Join Their Professional Network
- July 16, 2019 β BGD e-GOV CIRT (Bangladesh): [DNSPIONAGE] β FOCUS ON INTERNAL ACTIONS
- May 15, 2019 β Proofpoint: Threat Actor Profile: TA542, From Banker to Malware Distribution Service
- May 06, 2019 β NSFOCUS: Analysis of File Disclosure by APT34
- April 30, 2019 β Unit 42: Behind the Scenes with OilRig
- April 16, 2019 β Unit 42: DNS Tunneling in the Wild: Overview of OilRigβs DNS Tunneling
2018
- November 27, 2018 β Cisco Talos: DNSpionage Campaign Targets Middle East (attributed by FireEye on July 18, 2019)
- November 16, 2018 β Unit 42: Analyzing OilRig's Ops Tempo from Testing to Weaponization to Delivery
- September 12, 2018 β Unit 42: OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government
- September 04, 2018 β Unit 42: OilRig targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE
- July 25, 2018 β Unit 42: OilRig Targets Technology Service Provider and Government Agency with QUADAGENT
- February 23, 2018 β Unit 42: OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan
- February 23, 2018 β Booz Allen: Researchers Discover New variants of APT34 Malware
- January 25, 2018 β Unit 42: OilRig uses RGDoor IIS Backdoor on Targets in the Middle East
2017
- December 15, 2017 β Unit 42: Introducing the Adversary Playbook: First up, OilRig
- December 11, 2017 β Unit 42: OilRig Performs Tests on the TwoFace Webshell
- December 07, 2017 β FireEye: New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit
- November 08, 2017 β Unit 42: OilRig Deploys βALMA Communicatorβ β DNS Tunneling Trojan
- October 24, 2017 β ClearSky: Iranian Threat Agent Greenbug Impersonates Israeli High-Tech and Cyber Security Companies
- October 09, 2017 β Unit 42: OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan
- September 26, 2017 β Unit 42: Striking Oil: A Closer Look at Adversary Infrastructure
- August 28, 2017 β ClearSky: Recent ISMAgent Samples and Infrastructure by Iranian Threat Group GreenBug
- July 27, 2017 β Unit 42: OilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat Group
- July 27, 2017 β Secureworks: The Curious Case of Mia Ash: Fake Persona Lures Middle Eastern Targets
- April 27, 2017 β Unit 42: OilRig Actors Provide a Glimpse into Development and Testing Efforts
- March 31, 2017 β LogRhythm Labs: OilRig Campaign Analysis (PDF, TLP:WHITE)
- February 15, 2017 β Secureworks: Iranian PupyRAT Bites Middle Eastern Organizations
- January 05, 2017 β ClearSky: Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford
2016
- October 04, 2016 β Unit 42: OilRig Malware Campaign Updates Toolset and Expands Targets
- May 26, 2016 β Unit 42: The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor
2015
- October 07, 2015 β Secureworks: Hacker Group Creates Network of Fake LinkedIn Profiles
Feedback: Please direct message any comments, concerns, corrections or questions to https://infosec.exchange/@screaminggoat