Threat Actor ProfileAPT34 / OilRig

The Iranian threat actor OilRig has left – and continues to leave – a significant mark on the cyber threat landscape. This report traces the group's origins, highlighting the challenge of identifying and attributing their activities due to various aliases and differing research timelines. The detailed exploration of OilRig‘s campaigns from 2015 to 2023 unveils a pattern of continuous adaptation and evolution in their techniques. The report also delves into OilRig's connections with other threat actors, a potential connection to the Netherlands, and a data leak in 2019 that put OilRig on the other end of a cyber operation

Request a free membership to access our full research insights

  • Aliases: APT34, CHRYSENE, OilRig, Greenbug, Hazel Sandstorm, EUROPIUM, Cobalt Gypsy, Cleaver, Operation Cleaver, Op Cleaver, Tarh Andishan, Alibaba, TG-2889, G0003, Threat Group 2889, Volatile Kitten, Twisted Kitten, Crambus, Helix Kitten, IRN2, ATK40, G0049, Evasive Serpens, TA452, ITG13, DEV-0861, Scarred Manticore, Yellow Maero, Storm-0861
  • Strategic motives: Espionage, Information theft, Destruction
  • Affiliation: Iran - Ministry of Intelligence of the Islamic Republic of Iran (MOIS)
  • Cyber capabilities: ★★★☆☆
  • Target sectors: Government, Defense, Energy
  • Observed countries: Israel, Lebanon, Turkey, Egypt, Albania, USA

Origins, Motivations & Targets

Similarly to many other Advance Persistent Threat (APT) groups, this threat actor is known by a multitude of aliases, the most well-known ones being Helix Kitten, APT34, and of course OilRig. Before delving into the intricacies of the operations of OilRig, it is important to establish who or what it is that we are discussing. The group has been identified (and consequently named) by different research groups at different times, and it was not always obvious that they were one and the same. For instance, Palo Alto’s threat group Unit 42 discovered the group in 2016, while Mandiant researchers first observed them in 2017, then estimating that they had been active since around 2014. Hunt & Hackett’s Threat Diagnostic System further indicates that the group may have been active since as early as 2012. Early assumptions were that separately identified groups such as APT34 and OilRig “loosely aligned” with one another, but later it became clear that they refer to the same group.  

OilRig has been confirmed to be operating on behalf of the Iranian state. Iran has two separate intelligence and security agencies involved in the organisation of the state’s cyber capabilities; the infamous Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence of the Islamic Republic of Iran (MOIS). While both agencies are involved in intelligence gathering, MOIS’ main tasks include foreign operations and domestic surveillance. In general, MOIS is considered to be less ideological than its counterpart. Multiple APT groups belong to both of these organisations, and OilRig is strongly suspected to be under the control of MOIS. Consequently, they are inevitably interlinked with other MOIS-controlled APTs such as MuddyWater or DarkBit, chasing similar goals. The relationship between these groups is not always clear, leaving space for further research for example on weather DarkBit is a subgroup of MuddyWater, or its own entity. 

Based on the above outlined background, it is therefore not surprising that the primary motivation for OilRig’s attacks are espionage and information theft. Consequently, their most targeted sectors include government, finance, oil and gas and telecommunication, but they have been observed to conduct attacks against educational institutions and transport companies as well. While their focus has been primarily on Middle-Eastern countries such as Iraq, Israel, Turkey and Saudi Arabia, they do venture into the cyberspace of European or Asian nations as well, whenever needed (or rather, required by the MOIS). It is worth mentioning that the group also conducts surveillance activities on domestic, Iranian subjects.  

SWOT analysis

Strengths, weaknesses, opportunities & threats

Strengths

  • No fear from criminal prosecution
  • Advanced level and speed to develop new tools
  • Strong detection evasion capabilities

Weaknesses

  • More individual attacks than long-term campaigns

Opportunities

  • Conflicts in the Middle East persist
  • Political, economic and religious interests in the region create opportunities for Iran to intervene
  • Ability to further improve their already advanced defense evasion capabilities with new AI tools

Threats

  • They have been hacked by another APT
  • Their codes / tools / members identities were leaked

More detailed information about this actor?

OilRig in the Netherlands

In 2019, a series of leaks involving hacking tools allegedly used by the Iranian-linked cyber-espionage group OilRig surfaced. The leaks originated from a Telegram channel and exposed the group's malicious code, server IP addresses, and alleged victims. The leaker, operating under the pseudonym "LabDookhtegan," claimed to reveal the identities of OilRig members and implicated the Iranian intelligence ministry. The leaked tools, including a remote access trojan and over 100 web shells, were confirmed as authentic by cybersecurity researchers. This arsenal of tools has been utilized in hacking campaigns targeting Middle Eastern governments, aerospace, energy, and financial sectors. The data dump provides insight into OilRig’s preference for web shells, which exploit web application vulnerabilities.

OilRigSimultaneously, questions about the leaker's motives arise, with some speculating it could be an Iranian dissident or part of a counterintelligence effort. The leak is compared to the 2017 Shadow Brokers incident, although the effectiveness of the leaked tools is considered limited. A second account on Telegram, associated with the Lab Dookhtegan persona, continued to release details about OilRig, alleging ties to Iranian intelligence and exposing specific group members’ identities. 

This brings us to the indirect connection between the Netherlands and OilRig. The 2019 Telegram leak has been carried out by accounts named “Dookhtegan1”. The person behind these accounts was using images of political activist Mehdy Kavousi, an Iranian national living in the Netherlands. Kavousi is famous for his picture with sealed lips taken while he was protesting Dutch asylum laws in 2004.

 

Trends

Given the 2023 Israel-Gaza conflict, it is likely that OilRig continues to leverage its cyber capabilities against Israel. In the past, the group has been known to target Israeli critical infrastructure, including organizations in the government, healthcare, and manufacturing sectors. They are an incredibly persistent threat, having been seen re-compromising the same targets across multiple campaigns. Due to the covert nature of OilRig’s activities, it’s likely that the full scope of their activities in relation to this conflict has yet to be revealed. 

Since Hamas attacked Israel in October 2023, Iranian state-backed actors have intensified their cyberattacks and influence operations against Israel, creating what some researchers have deemed an “all hands on deck” threat environment. Iran has supported pro-Palestinian groups since the 1979 Islamic revolution. According to a Microsoft analysis, the number of Iranian cyber operations against Israel jumped from roughly one operation every other month in 2021 to 11 in October 2023 alone. As the conflict progressed, Iranian actors broadened their geographic scope to target Albania, Bahrain, and the United States. Tensions between the two countries escalated further in July 2024, when Hamas leader Ismail Haniyeh was killed in a targeted missile strike in Tehran. It is assumed that Israel was behind the attack, though the Israeli government made no claim of responsibility and said it would make no comment on the killing. Haniyeh’s death sparked concerns that an all-out war would break out between the two countries, though this has not transpired so far.  

Iran and Israel have been engaged in an enduring asymmetric conflict that is typically fought through missile strikes, regional proxies, cyber-espionage and sabotage, and influence operations. While the war in Gaza has brought tensions to their highest peak in many years, both Israel and Iran are constrained by the fact that neither side has the military capabilities to sustain a longer term conventional military campaign against their opponent. There are incentives on both sides to continue fighting a sub-threshold war, and cyber operations allow for a greater degree of stealth and deniability on both sides.

Learn more about our threat research?

Get in touch