APT34

Threat Actor Profile Updated 25 days ago
Download STIX
Preview STIX
APT34, also known as OilRig, EUROPIUM, Hazel Sandstorm, and Crambus among other names, is a threat actor believed to be operating on behalf of the Iranian government. Operational since at least 2014, APT34 has been involved in long-term cyber espionage operations primarily focused on reconnaissance efforts to benefit Iranian nation-state interests. The group has targeted a variety of industries, including financial, government, energy, chemical, and telecommunications sectors, with a significant focus on the Middle East. The attribution to Iran is based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests. APT34 leverages multiple malware including POWBAT, POWRUNER, BONDUPDATER, and exploits vulnerabilities such as the Microsoft Office vulnerability CVE-2017-11882 for its campaigns. It shares similarities with other Iranian groups like APT39 and MuddyWater, including overlapping target sectors and malware distribution methods. However, each group exhibits unique characteristics; for instance, APT34's use of the LionTail backdoor is unique to the Scarred Manticore threat actor. In addition, the group has used internet-facing exchange servers as a communication technique, a strategy identified in the Karkoff campaign. The group's activities have intensified over the years. Recently, Symantec’s Threat Hunter Team reported an eight-month-long intrusion by APT34 against an unspecified government in the Middle East, marking an escalation in the cyber war in the region. In this attack, the group reportedly stole files and passwords, installed a PowerShell backdoor to monitor incoming emails from an Exchange Server, and executed commands via emails. This recent activity underscores the persistent and evolving nature of APT34's threats, emphasizing the need for robust cybersecurity measures across targeted sectors.
What's your take? (Question 1 of 5)
8e228b44-9b30-45bf-9798-c3d5c486f46e Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
OilRig
4
OilRig is a well-known threat actor in the cybersecurity landscape, notorious for its sophisticated attacks on various targets, including Middle Eastern telecommunications organizations and Israel's critical infrastructure sector. This entity has been linked to several high-profile campaigns such as
COBALT GYPSY
2
Cobalt Gypsy, also known as APT34, Helix Kitten, Hazel Sandstorm, and OilRig, is an Iranian advanced persistent threat operation that has been active since at least 2014. This threat actor has a history of targeting sectors such as telecommunications, government, defense, oil, and financial services
Menorah
2
The Menorah malware, a novel and malicious software, was discovered in October 2023 as part of a cyberespionage operation conducted by Iranian advanced persistent threat (APT) group, OilRig. Also known as APT34, Helix Kitten, Hazel Sandstorm, and Cobalt Gypsy, the group has been strengthening its cy
Crambus
2
The Iranian Crambus espionage group, also known as OilRig, APT34, and other aliases, is a threat actor with extensive expertise in long-term cyber-espionage campaigns. In the most recent attack between February and September 2023, this group infiltrated an unnamed Middle Eastern government's network
Helix Kitten
2
Helix Kitten, also known as APT34, OilRig, Cobalt Gypsy, Hazel Sandstorm, and Crambus, is a threat actor believed to originate from Iran. The group has been tracked by various cybersecurity firms including FireEye, Symantec, and CrowdStrike, each using different names to identify the same entity. Th
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Malware
Apt
Implant
Reconnaissance
Espionage
Exploit
Iran
Dropper
Phishing
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
SideTwistUnspecified
2
SideTwist is a malware variant discovered and named by Check Point Research during an investigation into a campaign led by the Iranian threat group APT34 (also known as OilRig). This new backdoor variant was used against what appeared to be a Lebanese target. The SideTwist backdoor, identified via i
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT33Unspecified
2
APT33, also known as Curious Serpens, Peach Sandstorm, Elfin, HOLMIUM, MAGNALIUM, and REFINED KITTEN, is a threat actor suspected of having links to Iran. The group has been active since at least 2013 and targets multiple sectors, including aerospace and energy. Its operations have spanned across va
TurlaUnspecified
2
Turla, also known as Pensive Ursa, Snake, Uroburos, Waterbug, Venomous Bear, and KRYPTON, is a threat actor that has been active since at least 2004. This group, which is believed to be Russia-sponsored, primarily targets diplomatic and government organizations, private businesses, and non-governmen
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the APT34 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Trend Micro
a year ago
New APT34 Malware Targets The Middle East
MITRE
a year ago
Iran’s APT34 Returns with an Updated Arsenal - Check Point Research
MITRE
a year ago
New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit | Mandiant
MITRE
a year ago
Advanced Persistent Threats (APTs) | Threat Actors & Groups
CERT-EU
9 months ago
Hacker Group Disguised as Marketing Company to Attack Enterprise Targets
InfoSecurity-magazine
a year ago
New Credential-Stealing Campaign By APT34 Targets Middle East Firms
CERT-EU
10 months ago
Iran's APT34 Hits UAE With Supply Chain Attack
MITRE
a year ago
APT39: An Iranian Cyber Espionage Group Focused on Personal Information | Mandiant
Checkpoint
a year ago
6th February – Threat Intelligence Report - Check Point Research
BankInfoSecurity
7 months ago
Iran Traps Middle East Nation in 8-Month Espionage Campaign
CERT-EU
8 months ago
APT34 Employs Weaponized Word Documents to Deploy New Malware Strain
CERT-EU
8 months ago
APT34 Employs Weaponized Word Documents to Deploy New Malware Strain
CERT-EU
9 months ago
Alert: Phishing Campaigns Deliver New SideTwist Backdoor and Agent Tesla Variant
CERT-EU
8 months ago
Iran-Linked APT34 Spy Campaign Targets Saudis
MITRE
a year ago
Iran Ups its Traditional Cyber Espionage Tradecraft
MITRE
a year ago
APT34 - New Targeted Attack in the Middle East
CERT-EU
7 months ago
What is Advanced Persistent Threat? Uncover the Hidden Dangers!
CERT-EU
7 months ago
Iranian hackers lurked in Middle Eastern govt network for 8 months
CERT-EU
8 months ago
How this Israeli Backdoor written in C#/.NET can be used to hack into any company
CERT-EU
8 months ago
Iranian APT Group OilRig Using New Menorah Malware for Covert Operations