APT34

Threat Actor updated 4 months ago (2024-05-04T19:02:56.458Z)
Download STIX
Preview STIX
APT34, also known as OilRig, EUROPIUM, Hazel Sandstorm, and Crambus among other names, is a threat actor believed to be operating on behalf of the Iranian government. Operational since at least 2014, APT34 has been involved in long-term cyber espionage operations primarily focused on reconnaissance efforts to benefit Iranian nation-state interests. The group has targeted a variety of industries, including financial, government, energy, chemical, and telecommunications sectors, with a significant focus on the Middle East. The attribution to Iran is based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests. APT34 leverages multiple malware including POWBAT, POWRUNER, BONDUPDATER, and exploits vulnerabilities such as the Microsoft Office vulnerability CVE-2017-11882 for its campaigns. It shares similarities with other Iranian groups like APT39 and MuddyWater, including overlapping target sectors and malware distribution methods. However, each group exhibits unique characteristics; for instance, APT34's use of the LionTail backdoor is unique to the Scarred Manticore threat actor. In addition, the group has used internet-facing exchange servers as a communication technique, a strategy identified in the Karkoff campaign. The group's activities have intensified over the years. Recently, Symantec’s Threat Hunter Team reported an eight-month-long intrusion by APT34 against an unspecified government in the Middle East, marking an escalation in the cyber war in the region. In this attack, the group reportedly stole files and passwords, installed a PowerShell backdoor to monitor incoming emails from an Exchange Server, and executed commands via emails. This recent activity underscores the persistent and evolving nature of APT34's threats, emphasizing the need for robust cybersecurity measures across targeted sectors.
Description last updated: 2024-05-04T16:19:10.103Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
OilRig
4
OilRig is a well-known threat actor in the cybersecurity landscape, notorious for its sophisticated attacks on various targets, including Middle Eastern telecommunications organizations and Israel's critical infrastructure sector. This entity has been linked to several high-profile campaigns such as
COBALT GYPSY
2
Cobalt Gypsy, also known as APT34, Helix Kitten, Hazel Sandstorm, and OilRig, is an Iranian advanced persistent threat operation that has been active since at least 2014. This threat actor has a history of targeting sectors such as telecommunications, government, defense, oil, and financial services
Menorah
2
The Menorah malware, a novel and malicious software, was discovered in October 2023 as part of a cyberespionage operation conducted by Iranian advanced persistent threat (APT) group, OilRig. Also known as APT34, Helix Kitten, Hazel Sandstorm, and Cobalt Gypsy, the group has been strengthening its cy
Crambus
2
The Iranian Crambus espionage group, also known as OilRig, APT34, and other aliases, is a threat actor with extensive expertise in long-term cyber-espionage campaigns. In the most recent attack between February and September 2023, this group infiltrated an unnamed Middle Eastern government's network
Helix Kitten
2
Helix Kitten, also known as APT34, OilRig, Cobalt Gypsy, Hazel Sandstorm, and Crambus, is a threat actor believed to originate from Iran. The group has been tracked by various cybersecurity firms including FireEye, Symantec, and CrowdStrike, each using different names to identify the same entity. Th
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Malware
Apt
Implant
Reconnaissance
Espionage
Exploit
Iran
Dropper
Phishing
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
IDTypeVotesProfile Description
SideTwistUnspecified
2
SideTwist is a malware variant discovered and named by Check Point Research during an investigation into a campaign led by the Iranian threat group APT34 (also known as OilRig). This new backdoor variant was used against what appeared to be a Lebanese target. The SideTwist backdoor, identified via i
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
IDTypeVotesProfile Description
APT33Unspecified
2
APT33, an Iran-linked threat actor also known as Peach Sandstorm, Holmium, Elfin, Refined Kitten, and Magic Hound, has been involved in a series of cyber espionage activities targeting various sectors. The group's primary targets include the government, defense, satellite, oil, and gas sectors in th
TurlaUnspecified
2
Turla, a threat actor linked to Russia, is known for its sophisticated cyber-espionage activities. It has been associated with numerous high-profile attacks, employing innovative techniques and malware to infiltrate targets and execute actions with malicious intent. According to MITRE ATT&CK and MIT
Source Document References
Information about the APT34 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
CERT-EU
10 months ago
Iranian Cyber Spies Use 'LionTail' Malware in Latest Attacks
Checkpoint
10 months ago
From Albania to the Middle East: The Scarred Manticore is Listening - Check Point Research
CERT-EU
10 months ago
What is Advanced Persistent Threat? Uncover the Hidden Dangers!
CERT-EU
a year ago
Iranian Hackers Lurked for 8 Months in Government Network
CERT-EU
a year ago
New cyber campaign targeted Middle Eastern government, researchers say
CERT-EU
a year ago
Iranian hackers lurked in Middle Eastern govt network for 8 months
BankInfoSecurity
a year ago
Iran Traps Middle East Nation in 8-Month Espionage Campaign
CERT-EU
a year ago
New Menorah malware bolsters OilRig APT's cyberespionage efforts
CERT-EU
a year ago
Iran-Linked APT34 Spy Campaign Targets Saudis
CERT-EU
a year ago
APT34 Employs Weaponized Word Documents to Deploy New Malware Strain
CERT-EU
a year ago
APT34 Employs Weaponized Word Documents to Deploy New Malware Strain
CERT-EU
a year ago
Iranian APT34 Employs Menorah Malware for Covert Operations
CERT-EU
a year ago
Iranian APT Group OilRig Using New Menorah Malware for Covert Operations
CERT-EU
a year ago
How this Israeli Backdoor written in C#/.NET can be used to hack into any company
CERT-EU
a year ago
Alert: Phishing Campaigns Deliver New SideTwist Backdoor and Agent Tesla Variant
CERT-EU
a year ago
Hacker Group Disguised as Marketing Company to Attack Enterprise Targets
CERT-EU
a year ago
Hacker Group Disguised as Marketing Company to Attack Enterprise Targets | IT Security News
CERT-EU
a year ago
Russia’s 'Turla' Group – A Formidable Cyberespionage Adversary
CERT-EU
a year ago
Iran's APT34 Hits UAE With Supply Chain Attack
CERT-EU
a year ago
Iranian Company Cloudzy Accused of Aiding Cybercriminals and Nation-State Hackers