NEW: Group Profiler — instant APT intel lookup. Try it →

← threatfilter.dev / all groups / OilRig

OilRig

G0049 Iran Espionage MITRE ATT&CK →

Also known as: COBALT GYPSY · IRN2 · APT34 · Helix Kitten · Evasive Serpens · Hazel Sandstorm · EUROPIUM · ITG13 · Earth Simnavaz · Crambus · TA452

Overview

OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.

Targets

Chemical · Civil society · Defense · Education · Energy · Engineering · Finance · Government · Other · Private sector · Technology · Telecommunications

Regions

Canada · China · France · Germany · India · Iraq · Israel · Kuwait · Lebanon · Mexico · Middle East · Pakistan · Qatar · Saudi Arabia · South Korea · Turkey · United Kingdom · United States

Capabilities

  • Supply-chain compromise — ATT&CK T1195
  • Destructive / data-wiping operations — software: ZeroCleare
  • Exploitation of public-facing / client applications — ATT&CK T1203
  • Custom malware/implant development — ATT&CK: 18 attributed custom malware families
  • Documented tooling: Watering holes, 64-bit malware, covert C2 via IPv6 DNS, ISMDOOR — MISP galaxy (meta.capabilities)

TTPs — 76 techniques across 13 tactics

Resource Development

Persistence

Privilege Escalation

Defense Impairment

Lateral Movement

Command and Control

Tools & malware (30)

ISMInjector · ODAgent · RDAT · Systeminfo · QUADAGENT · OopsIE · ngrok · Tasklist · Net · certutil · ZeroCleare · Reg · POWRUNER · netstat · Solar · ipconfig · LaZagne · BONDUPDATER · SideTwist · Helminth · Mango · OilBooster · SampleCheck5000 · PsExec · SEASHARPEE · Mimikatz · PowerExchange · OilCheck · RGDoor · ftp

Reporting (3)