← All Threat Actors
Threat Actor Profile

OilRig

APT 34 APT34 ATK40 Cobalt Gypsy Crambus Earth Simnavaz EUROPIUM Evasive Serpens G0049 Hazel Sandstorm Helix Kitten IRN2 ITG13 TA452 Twisted Kitten
▲ High Threat
OilRig is an Iranian threat group operating primarily in the Middle East by targeting organizations in this region that are in a variety of different industries; however, this group has occasionally targeted organizations outside of the Middle East as well. It also appears OilRig carries out supply chain attacks, where the threat group leverages the trust relationship between organizations to attack their primary targets. OilRig is an active and organized threat group, which is evident based on their systematic targeting of specific organizations that appear to be carefully chosen for strategic purposes. Attacks attributed to this group primarily rely on social engineering to exploit the human rather than software vulnerabilities; however, on occasion this group has used recently patched vulnerabilities in the delivery phase of their attacks. The lack of software vulnerability exploitation does not necessarily suggest a lack of sophistication, as OilRig has shown maturity in other aspects of their operations. Such maturities involve: -Organized evasion testing used the during development of their tools. -Use of custom DNS Tunneling protocols for command and control (C2) and data exfiltration. -Custom web-shells and backdoors used to persistently access servers. OilRig relies on stolen account credentials for lateral movement. After OilRig gains access to a system, they use credential dumping tools, such as Mimikatz, to steal credentials to accounts logged into the compromised system. The group uses these credentials to access and to move laterally to other systems on the network. After obtaining credentials from a system, operators in this group prefer to use tools other than their backdoors to access the compromised systems, such as remote desktop and putty. OilRig also uses phishing sites to harvest credentials to individuals at targeted organizations to gain access to internet accessible resources, such as Outlook Web Access. Since at least 2014, a
Origin Iran
Sponsor Iran (Islamic Republic of)
Motivation Espionage

Target Sectors

Government Private sector Civil society Chemical Energy Engineering Finance Government, Administration Telecoms Other

Known TTPs

Code Signing Certificates
Windows Credential Manager
System Information Discovery
LSASS Memory
Fallback Channels
Web Protocols
Data from Local System
Windows Host Firewall
Windows Command Shell
Remote Desktop Protocol
Web Shell
Malware
Upload Malware
Masquerading
Remote Access Tools
Compiled HTML File
Network Service Discovery
Local Account
Outlook Home Page
Domain Groups
Screen Capture
Data from Removable Media
System Service Discovery
Password Filter DLL
PowerShell
File Deletion
Tool
Malicious File
External Remote Services
Domain Accounts
Password Policy Discovery
Email Accounts
Domain Account
LSA Secrets
Deobfuscate/Decode Files or Information
Code Signing
Exfiltration Over Unencrypted Non-C2 Protocol
Brute Force
Visual Basic
Spearphishing Link
Modify Registry
Peripheral Device Discovery
DNS
Ingress Tool Transfer
System Network Connections Discovery
Windows Service
Supply Chain Compromise
Malicious Link
Valid Accounts
Asymmetric Cryptography
Spearphishing Attachment
Scheduled Task
Automated Collection
Domains
Keylogging
Match Legitimate Resource Name or Location
System Owner/User Discovery
Spearphishing via Service
Protocol Tunneling
Windows Management Instrumentation
SSH
Credentials from Password Stores
Clipboard Data
Cached Domain Credentials
Encrypted/Encoded File
Local Groups
Credentials In Files
Process Discovery
Credentials from Web Browsers
System Network Configuration Discovery
Exploitation for Client Execution
Query Registry
Command and Scripting Interpreter
System Checks
Exploitation for Privilege Escalation
Indicator Removal from Tools

External Resources

CISA Advisories ↗

Related Intelligence

Hacking the mainframe…

LINK COPIED TO CLIPBOARD