OilRig, aka HelixKitten, APT 34, and Twisted Kitten, is a suspected Iranian threat group targeting Middle Eastern and international victims since at least 2014. The group appears to conduct supply chain attacks, taking advantage of the trust connection between organizations to attack its major targets. Based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that corresponds with nation-state goals, researchers conclude that the organization operates on behalf of the Iranian government. Financial, political, energy, chemical, and telecommunications sectors are the top targets of this threat actor group. For lateral movement, OilRig makes use of stolen account credentials. OilRig uses credential dumping tools like Mimikatz to harvest credentials from accounts logged onto the compromised system after gaining access to it. The threat actor group utilizes these credentials to gain access to and move laterally via the network’s systems.
Information Theft and Espionage
Exposure of Sensitive Data
Block all threat indicators at your respective controls.
Search for IOCs in your environment.