Threat Actor ProfileAPT34 / OilRig

2015-2016

2016

In late 2016, ongoing updates were identified, specifically in their Clayslide delivery documents and the Helminth backdoor. Notably, the new campaign's target scope had shifted to include a Qatari company and government entities in Turkey, Israel, and the United States. The group persisted in employing spear-phishing emails with malicious Microsoft Excel documents for compromising victims. For instance, a targeted email to a Turkish government organization utilized a lure related to purport a new login portal login for an airline's website, with a disclaimer that the sender email might have been spoofed. In their malware evolution, the attackers transitioned from the update.vbs variant to the fireeye.vbs variant in late May 2016.[11] One specific chain of attacks focusing on Israeli IT vendors, financial institutes, and the Israeli Post Office, the attackers established a deceptive VPN Web Portal.  

2016

In this campaign the threat actors created fake websites, masquerading as a University of Oxford conference sign-up page and a job application site. Malicious content on these sites was digitally signed with a likely stolen code signing certificate. Targeted countries, based on VirusTotal uploads, known victims, and the content of malicious documents, included Turkey, Qatar, Kuwait, the United Arab Emirates, Saudi Arabia, and Lebanon. In a specific incident, compromised IT vendor accounts were used to send deceptive emails containing links to a fraudulent VPN Web Portal. Upon accessing the portal, victims were instructed to install seemingly legitimate Juniper VPN software bundled with the Helminth malware. Furthermore, the attackers registered domains impersonating The University of Oxford, featuring a fake conference registration site prompting visitors to download a fictitious "University of Oxford Job Symposium Pre-Register Tool." It's worth noting a prior incident where the attackers sent a malicious Excel file impersonating Israir, an Israeli airline, although the file content was copied from the company's public website with no indications of compromise or specific targeting.[12]

2012 & 2016

In 2016, Palo Alto researchers identified new Disttrack samples in an updated attack campaign, potentially related to the Shamoon attacks in August 2012. The initial Shamoon campaign targeted a Saudi Arabian energy company, deploying the destructive malware Disttrack, which exhibited worm-like behavior and caused significant damage to over 30,000 systems. These attacks have been loosely linked to OilRig, although a confirmed connection has not been established. The 2016 Disttrack samples were part of an attack targeting at least one organization in Saudi Arabia, aligning with the focus of the original Shamoon attacks. Unlike the previous campaign, these new samples were configured with a non-operational command and control (C&C) server and were set to initiate data wiping on a specific day, at a specific time. This timing coincided with the end of the work week in Saudi Arabia, providing the malware the entire weekend to propagate, reminiscent of the tactics observed in the 2012 Shamoon attacks. Additionally, similar to the 2012 Shamoon activity, the attackers chose a strategic time, avoiding work hours and aligning with Lailat al Qadr, the holiest night in the Islamic calendar, ensuring reduced employee presence.[13]  

2017

In August of 2017, OilRig conducted an attack against a governmental organisation in the United Arab Emirates. The attack started with a (misspelled) phishing email that contained a malicious attachment. The attackers used the organisation’s Outlook Web Access (OWA) to send the email, which coincides with Palo Alto researchers’ previous observations of OilRig having conducted credential harvesting campaigns on OWA login sites. The malicious delivery document was a word document tracked as ThreeDollars, which – after executing it by clicking on the malicious macro – delivered a new Trojan tool called ISMInjector through a backdoor. They employed an anti-analysis technique, thereby complicating the injection process of payloads into other processes.  This indicates a heightened level of effort in evading security products to effectively compromise their intended targets.[14]

2017

Another set of attacks against unnamed governmental organisations in the Middle East happened in November of 2017, when OilRig was observed to exploit a (then) recent Microsoft vulnerability. The attackers used a custom PowerShell backdoor for their operation, and deployed POWRUNER and BONDUPDATER. Unsurprisingly, the attacks started a phishing email carrying a malicious attachment – in this case an .rtf file. Mandiant researchers concluded after the attacks, that the groups actions suggested “the group’s commitment to pursing strategies to deter detection.”[15]

2018

On January 8, 2018, Palo Alto researchers detected OilRig conducting an attack on a Middle Eastern insurance agency, followed by a similar attack on a financial institution on January 16, 2018. In both incidents, APT34 sought to deliver a new Trojan named OopsIE. The attack on the insurance agency involved a malicious Word document, Seminar-Invitation.doc, containing the ThreeDollars payload. During the January 16 attack, the attackers targeted an organization previously attacked in January 2017, opting for a direct delivery of the OopsIE Trojan without using the ThreeDollars delivery document. This change in tactics indicated a potential response by the targeted organization to counter known OilRig techniques. Despite evolving tools, OilRig’s playbook remains consistent in its attack life cycle, showcasing the group's adaptability and persistence in the Middle East region.[16]

2018

Between May and June 2018, researchers detected a series of attacks by OilRig originating from a government agency in the Middle East. The group likely employed credential harvesting and compromised accounts to use the government agency as a launching platform. Targets included a technology services provider and another government entity within the same nation-state, with attacks designed to appear as though they originated from other entities in the country. The attackers likely utilized stolen credentials from the intermediary organization. The attacks deployed QUADAGENT, a PowerShell backdoor associated with OilRig, confirmed through analysis of reused artifacts and tactics. While the group commonly employs script-based backdoors, packaging these scripts into portable executable files is not a frequently observed tactic for them. QUADAGENT marks the 12th custom-built tool in OilRig’s arsenal.[17]

2019

After a few busy years, OilRig seemed to have taken a step back from the spotlight and ceased its operations for at least a year, potentially due to the heavy coverage their attacks were receiving. Their next known attacks took place in June 2019 against entities in the energy sector, the oil and gas industry, and governmental organisations. FireEye identified their phishing campaign with distinct attributes: the attackers impersonated Cambridge University staff members and used LinkedIn for the distribution of malware. Researchers also pointed out that OilRig used three new malware families as well, in addition to the already familiar PICKPOCKET. The new tools were identified as TONEDEAF, VALUEVAULT and LONGWATCH.[18] The LinkedIn campaign delivering TONEDEAF has been described in Hunt & Hackett’s informational blog about spear phishing. For further information, please visit our blog post. 

2019

After another gap, OilRig surfaced in December 2019. X-Force IRIS researchers discovered a new wiper malware called ZeroClear which was employed in a destructive cyber-attack that impacted entities within the energy and industrial sectors in the Middle East. Through the analysis of the malware and the patterns of the attackers, it is believed that state-sponsored actors from Iran were responsible for developing and deploying this new wiper. Researchers assessed that OilRig and at least one other – not specified – Iranian group collaborated in the development and deployment of the malware.[19]

2020

In early 2020 – a mere month after OilRig’s collaboration to deploy ZeroClear – the group was identified as the attackers behind a phishing campaign against a US professional services company Westat and their clients. The company is known for conducting research for governmental entities and carrying out surveys for federal employees. After the attack was discovered, Westat stated that researchers have “identified a malicious file that uses the Westat name and logo. This file was not created by, hosted by, or sent from Westat, and is likely the result of a bad actor stealing the Westat brand name and logo.”[20] In this attack, TONEDEAF was used once more, confirming the attribution of the attack to OilRig. This instance is outstanding as it marks the first confirmed targeted attack against a non-Middle Eastern entity, specifically tailored through the phishing emails to masquerade as the Maryland-based company.[21]

2020

In May 2020, Palo Alto researchers identified a campaign against a telecommunications organisation in a Middle Eastern country. The malware used in the attacks was an updated version of the RDAT malware which has previously been associated with OilRig, dating back as far as 2017. Analysis of the attacks revealed the use of “custom Mimikatz samples for dumping credentials, a sample of the Bitvise client […] used to create SSH tunnels, and a custom backdoor called RDAT.”[22] The RDAT tool had undergone serious development, demonstrating that OilRig used its time away from major attack to develop and extend their toolset. Most samples used HTTP and DNS tunnelling channels for email communication. This was then uniquely combined with steganographic image file attachments.[23]

2021

In April 2021 Checkpoint researchers discovered a new campaign against a Lebanese company using a new backdoor variant SideTwist. The phishing emails contained a job opportunity document (Job-Details.doc), in line with previous phishing operations conducted by the group. OilRig’s other distinctive technique, DNS tunnelling, was used here as well.[24] This, paired with previously used macros, their phishing techniques, and other technical details, all point to OilRig being behind the attacks.[25] 

2021 - 2022

In a campaign only identified two years after the fact and named the Outer Space campaign by ESET researchers, OilRig targeted an unspecified Israeli organisation using a new backdoor, Solar, and new downloader Sample Checks5000. ESET believes that the campaign was carried out by the group due to the use of a custom Chrome data dumper MKG, as well as other similarities.[26]

Similarly, to the Outer Space campaign, the Juicy Mix campaign also focused on Israeli targets, specifically one in the healthcare sector. The attackers improved the Solar backdoor to create Mango, with improved obfuscation capabilities. The attack included delivering the malicious file Mango.exe by compromising an actual Israeli job portal.[27] Luckily for the affected Israeli organisations, both the Juicy Mix and Outer Space campaigns were detected before any significant impact could result from both of them. 

2022

For the third year in a row, OilRig had a busy April in 2022. They attempted to conduct an attack against a Jordanian governmental entity, predictably starting with a phishing email. On April 26, a Jordanian foreign ministry official received an email from an address pretending to be from the Government of Jordan, containing a malicious attachment “Confirmation Receive Document.xls”. 

Figure 1: “Confirmation Receive Document.xls” – APT34’s phishing email sent to a Jordanian foreign ministry official. Source: Fortinet.

The malicious document’s macro was then supposed to drop the new backdoor Saitama.[28] Malwarebytes attributes the attack to OilRig due to a variety of indicators; the attachment file shared similarities to past confirmed OilRig attacks, the victims being a Middle Eastern governmental entity falls under OilRig’s victimology, and lastly the use of DNS for command-and-control communications is a known observed technique of the group.[29] 

2022

2022 marked the first time that OilRig conducted an attack in Europe. Microsoft researchers were contacted by the Albanian government to investigate and mitigate the destructive cyberattack that disrupted websites and certain public services as well. What was unique in this attack is that it is believed that more than one Iranian APT was participating in it, with each responsible for different stages of the attack. Of these phases, the Microsoft analysis concluded that OilRig was in charge of initial access and data exfiltration.[30]

2023

Between February and August 2023, OilRig conducted an 8-month-long intrusion against a Middle Eastern government, during which they stole files and passwords and installed a PowerShell backdoor named PowerExchange. They monitored incoming emails from an Exchange Server, executing commands and discreetly forwarding information. Malicious activities impacted at least 12 computers, with evidence suggesting the deployment of backdoors and keyloggers on numerous others. Additionally, the attackers extensively used the Plink network administration tool to configure port-forwarding rules, allowing remote access via the Remote Desktop Protocol (RDP). Evidence also indicates modifications to Windows firewall rules for facilitating remote access.[31]

2023

In August 2023 OilRig was observed conducting yet another phishing attack, this time using a newly developed malware, TrendMicro researchers named Menorah. The cyberespionage-oriented malware is equipped to identify the target machine, read and upload files from it, and download additional files or malware. The malicious attachment was titled “MyCV.doc” and the possible target victim was a Saudi Arabian organisation. The malware used in the attacks showed similarities to SideTwist, a backdoor previously used by OilRig.[32]