APT34

Threat Actor updated 23 days ago (2024-11-29T14:51:20.252Z)
Download STIX
Preview STIX
APT34, a threat actor suspected to be linked to Iran, has been operational since at least 2014 and is involved in long-term cyber espionage operations largely focused on reconnaissance efforts. The group targets a variety of sectors including financial, government, energy, chemical, and telecommunications, with its operations primarily concentrated in the Middle East. APT34 uses malware families such as POWBAT, POWRUNER, and BONDUPDATER, which are associated with previous APT34 campaigns and have ties to other malware families like Karkoff, Saitama, and IIS Group 2. In its latest campaign, it leveraged a Microsoft Office vulnerability (CVE-2017-11882) to deploy these malwares. The group's tactics, techniques, and procedures (TTPs) closely resemble those used by the Karkoff and Saitama malware families, suggesting a common origin. Notably, APT34's sophisticated technique for abusing Windows password filters to drop malicious DLLs into the system directory, and exploiting CVE-2024-30088 to gain higher privileges on infected machines, demonstrates their advanced capabilities. They also use a stealthy exfiltration channel that allows them to steal data from sensitive networks, often evading detection. APT34 has been known to leverage access within one organization to carry out follow-on attacks against others tied to it. Recent activity from APT34 includes the deployment of Web shells to vulnerable Web servers, and the use of ngrok for command-and-control (C2), which tunnels through firewalls and other network security barriers, facilitating access to a network's Domain Controller. Trend Micro has reported a "notable rise" in APT34's espionage and theft of sensitive information from government agencies, particularly within the UAE. Given the geopolitical tensions and APT34's increasing activities, organizations are advised to remain vigilant and adopt robust cybersecurity measures.
Description last updated: 2024-10-21T08:39:41.292Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
OilRig is a possible alias for APT34. OilRig, also known as APT34, Earth Simnavaz, Evasive Serpens, and other names, is a well-known threat actor in the cybersecurity industry. This group has been particularly active in targeting entities in the Middle East, including critical infrastructure and telecommunications organizations. One of
5
COBALT GYPSY is a possible alias for APT34. Cobalt Gypsy, also known as APT34, Helix Kitten, Hazel Sandstorm, and OilRig, is an Iranian advanced persistent threat operation that has been active since at least 2014. This threat actor has a history of targeting sectors such as telecommunications, government, defense, oil, and financial services
2
Hazel Sandstorm is a possible alias for APT34. Hazel Sandstorm, also known as APT34, OilRig, and EUROPIUM, is a threat actor that has been linked to Iran. This group is known for its sophisticated and persistent cyber attacks on high-profile organizations, using custom-made tools to gain access and systematically exfiltrate data. The cybersecuri
2
Menorah is a possible alias for APT34. The Menorah malware, a novel and malicious software, was discovered in October 2023 as part of a cyberespionage operation conducted by Iranian advanced persistent threat (APT) group, OilRig. Also known as APT34, Helix Kitten, Hazel Sandstorm, and Cobalt Gypsy, the group has been strengthening its cy
2
Crambus is a possible alias for APT34. The Iranian Crambus espionage group, also known as OilRig, APT34, and other aliases, is a threat actor with extensive expertise in long-term cyber-espionage campaigns. In the most recent attack between February and September 2023, this group infiltrated an unnamed Middle Eastern government's network
2
Karkoff is a possible alias for APT34. Karkoff is a threat actor identified as part of the APT34 group, known for its malicious cyber activities. It has been linked to several malware families including Karkoff, Saitama, and IIS Group 2, which operate in the same geographical region. The Karkoff malware has been observed communicating th
2
Helix Kitten is a possible alias for APT34. Helix Kitten, also known as APT34, OilRig, Cobalt Gypsy, Hazel Sandstorm, and Crambus, is a threat actor believed to originate from Iran. The group has been tracked by various cybersecurity firms including FireEye, Symantec, and CrowdStrike, each using different names to identify the same entity. Th
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Backdoor
Apt
Iran
Reconnaissance
Espionage
Exploit
State Sponso...
Tunneling
DNS
Dropper
Phishing
Implant
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The SideTwist Malware is associated with APT34. SideTwist is a malware variant discovered and named by Check Point Research during an investigation into a campaign led by the Iranian threat group APT34 (also known as OilRig). This new backdoor variant was used against what appeared to be a Lebanese target. The SideTwist backdoor, identified via iUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The APT33 Threat Actor is associated with APT34. APT33, also known as Peach Sandstorm, is an Iran-linked threat actor associated with the Iranian Islamic Revolutionary Guard Corps (IRGC). This group has targeted communication equipment, government agencies, and the oil-and-gas industry in the United Arab Emirates and the United States, primarily fUnspecified
2
The threatActor Spearal is associated with APT34. Unspecified
2
The threatActor Veaty is associated with APT34. Unspecified
2
The Saitama Threat Actor is associated with APT34. Saitama is identified as a threat actor, a human entity responsible for executing actions with malicious intent. It's associated with the execution of cyber-attacks using sophisticated malware such as Saitama and Spearal, which employ base32-encoded commands passed through DNS tunneling. The techniqUnspecified
2
The Turla Threat Actor is associated with APT34. Turla, a threat actor linked to Russia, is known for its sophisticated cyber espionage operations. The group has been associated with numerous high-profile attacks, often utilizing advanced backdoors and fileless malware for infiltration and persistence. Turla's tactics, techniques, and procedures (Unspecified
2
Source Document References
Information about the APT34 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
2 months ago
Trend Micro
2 months ago
DARKReading
2 months ago
Securityaffairs
3 months ago
DARKReading
3 months ago
Checkpoint
3 months ago
Checkpoint
3 months ago
CERT-EU
a year ago
Checkpoint
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago