APT34

Threat Actor updated a month ago (2024-09-20T19:01:16.663Z)
Download STIX
Preview STIX
APT34, also known as OilRig, Helix Kitten, and Hazel Sandstorm, is a threat actor group suspected to be linked to Iran. This group has been operational since at least 2014 and is believed to be involved in long-term cyber espionage operations largely focused on reconnaissance efforts to benefit Iranian nation-state interests. The group targets a variety of sectors including financial, government, energy, chemical, and telecommunications, with a significant focus on the Middle East region. APT34's malware has multiple ties to previously described APT34 malware families, such as Karkoff, Saitama, and IIS Group 2, all operating within the same region. The Veaty and Spearal Tactics, Techniques, and Procedures (TTPs) are very similar to these other malware families, further indicating APT34's involvement. In its latest campaign, APT34 leveraged the Microsoft Office vulnerability CVE-2017-11882 to deploy associated malware such as POWBAT, POWRUNER, and BONDUPDATER. Mandiant, a cybersecurity firm, noticed that organizations compromised by APT34 in 2019 and 2020 had also been previously breached by UNC1860, suggesting that UNC1860 may support Iranian state-sponsored hackers in performing lateral movement. Additionally, Mandiant identified two custom, GUI-operated malware controllers tracked as TEMPLEPLAY and VIROGREEN, which were used to provide remote access to victim networks. These findings strengthen the assessment that UNC1860 acts as an initial access agent for groups like APT34. The group's cyber operations often involve the use of custom DNS tunneling protocols and a C2 channel based on email subject lines, a distinctive blend of straightforward tools, written in .NET, combined with sophisticated C2 infrastructure common among similar Iranian threat actors. The capabilities of APT34 and Iran's other groups are expected to increase over time. The group's primary goals seem to be espionage and stealing sensitive government information. Most recently, APT34 used fake document attachments targeting Iraq between March and May of this year, likely employing social engineering to convince users to open the links and run an installer. This activity underscores the group's increasing focus on the Middle East, particularly the government sector in the Gulf region.
Description last updated: 2024-09-20T18:16:23.684Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
OilRig is a possible alias for APT34. OilRig, also known as APT34, Helix Kitten, Cobalt Gypsym, Lyceum, Crambus, or Siamesekitten, is a notorious threat actor linked to numerous malicious activities. The group has been associated with various well-known campaigns such as DarkHydrus, xHunt, SUNBURST, and Decoy Dog, all of which leveraged
4
COBALT GYPSY is a possible alias for APT34. Cobalt Gypsy, also known as APT34, Helix Kitten, Hazel Sandstorm, and OilRig, is an Iranian advanced persistent threat operation that has been active since at least 2014. This threat actor has a history of targeting sectors such as telecommunications, government, defense, oil, and financial services
2
Hazel Sandstorm is a possible alias for APT34. Hazel Sandstorm, also known as APT34, OilRig, and EUROPIUM, is a threat actor that has been linked to Iran. This group is known for its sophisticated and persistent cyber attacks on high-profile organizations, using custom-made tools to gain access and systematically exfiltrate data. The cybersecuri
2
Menorah is a possible alias for APT34. The Menorah malware, a novel and malicious software, was discovered in October 2023 as part of a cyberespionage operation conducted by Iranian advanced persistent threat (APT) group, OilRig. Also known as APT34, Helix Kitten, Hazel Sandstorm, and Cobalt Gypsy, the group has been strengthening its cy
2
Crambus is a possible alias for APT34. The Iranian Crambus espionage group, also known as OilRig, APT34, and other aliases, is a threat actor with extensive expertise in long-term cyber-espionage campaigns. In the most recent attack between February and September 2023, this group infiltrated an unnamed Middle Eastern government's network
2
Karkoff is a possible alias for APT34. Karkoff is a threat actor identified as part of the APT34 group, known for its malicious cyber activities. It has been linked to several malware families including Karkoff, Saitama, and IIS Group 2, which operate in the same geographical region. The Karkoff malware has been observed communicating th
2
Helix Kitten is a possible alias for APT34. Helix Kitten, also known as APT34, OilRig, Cobalt Gypsy, Hazel Sandstorm, and Crambus, is a threat actor believed to originate from Iran. The group has been tracked by various cybersecurity firms including FireEye, Symantec, and CrowdStrike, each using different names to identify the same entity. Th
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Backdoor
Apt
Iran
Reconnaissance
Espionage
Exploit
State Sponso...
Tunneling
DNS
Dropper
Phishing
Implant
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The SideTwist Malware is associated with APT34. SideTwist is a malware variant discovered and named by Check Point Research during an investigation into a campaign led by the Iranian threat group APT34 (also known as OilRig). This new backdoor variant was used against what appeared to be a Lebanese target. The SideTwist backdoor, identified via iUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The APT33 Threat Actor is associated with APT34. APT33, also known as Peach Sandstorm, is an Iran-linked threat actor associated with the Iranian Islamic Revolutionary Guard Corps (IRGC). This group has targeted communication equipment, government agencies, and the oil-and-gas industry in the United Arab Emirates and the United States, primarily fUnspecified
2
The Saitama Threat Actor is associated with APT34. Saitama is identified as a threat actor, a human entity responsible for executing actions with malicious intent. It's associated with the execution of cyber-attacks using sophisticated malware such as Saitama and Spearal, which employ base32-encoded commands passed through DNS tunneling. The techniqUnspecified
2
The Turla Threat Actor is associated with APT34. Turla, a threat actor linked to Russia, is known for its sophisticated cyber espionage operations. The group has been associated with numerous high-profile attacks, often utilizing advanced backdoors and fileless malware for infiltration and persistence. Turla's tactics, techniques, and procedures (Unspecified
2
Source Document References
Information about the APT34 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securityaffairs
a month ago
DARKReading
a month ago
Checkpoint
a month ago
Checkpoint
a month ago
CERT-EU
a year ago
Checkpoint
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
BankInfoSecurity
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago