Nation-State Actor
OilRig (APT34)
Iran • Active since 2014
OilRig is Iran's main cyber spy group. They hack into governments and energy companies in the Middle East using clever tricks like sending fake job offers and LinkedIn messages.
Overview
OilRig is an Iranian state-sponsored threat group linked to the Ministry of Intelligence (MOIS). They target government, financial, energy, and telecom sectors in the Middle East and globally.
Also Known As
APT34, Helix Kitten, Crambus, Hazel Sandstorm
Target Industries
Government, Financial, Energy, Telecommunications, Chemical
Target Regions
Middle East, United States, Europe
Is your business exposed?
Tactics, Techniques & Procedures
- • Spear-phishing
- • LinkedIn social engineering
- • DNS tunneling
- • Web shells
- • Credential harvesting
Known Tools & Malware
QUADAGENT, BONDUPDATER, RDAT, OopsIE, Karkoff
Notable Campaigns
DNSpionage (2018-2019)
DNS hijacking campaign against Middle Eastern government organizations.
Tool Leak Aftermath (2019)
Continued operations despite Lab Dookhtegan leak of their tools.
MITRE ATT&CK Techniques
T1566.001, T1598.003, T1071.004, T1505.003, T1003
Defense Recommendations
- 1.
Implement DNS tunneling detection
- 2.
Monitor for OilRig indicators
- 3.
Train staff on LinkedIn-based phishing
Related Threat Actors
Is your business exposed?
Check if your company data is circulating on the dark web
Free scan • No credit card required