Group: OilRig, CHRYSENE, ...
|OilRig, CHRYSENE, ...|
|Associated Groups||OilRig, CHRYSENE, Greenbug, APT 34|
|External Contributors||Dragos Threat Intelligence|
OilRig is a suspected Iranian threat group that has targeted the financial, government, energy, chemical, and telecommunication sectors as well as petrochemical, oil & gas.123 OilRig has been observed operating in Iraq, Pakistan, Israel, and the UK, and has been linked to the Shamoon attacks in 2012 on Saudi Aramco.
Associated Group Descriptions
- Spearphishing Attachment - OilRig used spearphishing emails with malicious Microsoft Excel spreadsheet attachments.5
- Scripting - OilRig has embedded a macro within spearphishing attachments that has been made up of both a VBScript and a PowerShell script.5
- Standard Application Layer Protocol - OilRig communicated with its command and control using HTTP requests.5
- Drive-by Compromise - OilRig has been seen utilizing watering hole attacks to collect credentials which could be used to gain access into ICS networks.6
- N.A. (n.d.). Advanced Persistent Threat Group 34. Retrieved October 31, 2019.
- Manish Sardiwal et al.. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved October 31, 2019.
- Dragos. (n.d.). Chrysene. Retrieved October 27, 2019.
- Bryan Lee, Robert Falcone. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved October 31, 2019.
- Robert Falcone, Bryan Lee. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved November 19, 2019.
- Eduard Kovacs. (2018, May 21). Group linked to Shamoon attacks targeting ICS networks in Middle East and UK. Retrieved January 3, 2020.