APT34, also known as OilRig, is a suspected Iranian cyber espionage threat group that has been operational since at least 2014. The group is believed to work on behalf of the Iranian government, based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests. APT34 is involved in long-term cyber espionage operations largely focused on reconnaissance efforts to benefit Iranian nation-state interests. The group has targeted a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East.
Tactics, Techniques, and Procedures (TTPs)
APT34 uses a mix of public and non-public tools, often conducting spear phishing operations using compromised accounts, sometimes coupled with social engineering tactics. The group has used exploits for at least two publicly known vulnerabilities (CVE-2017-0199 and CVE-2017-11882) to target organizations in the Middle East.
Here are some of the key TTPs used by the OilRig group:
- Account Discovery: OilRig has run commands like
net user /domain,
net group "domain admins" /domain, and
net group "Exchange Trusted Subsystem" /domainto get account listings on a victim. T1087
- Application Layer Protocol: OilRig has used HTTP and DNS for C2, including the publicly available requestbin.net tunneling service. T1071
- Automated Collection: OilRig has used automated collection. T1119
- Brute Force: OilRig has used brute force techniques to obtain credentials. T1110
- Command and Scripting Interpreter: OilRig has used various types of scripting for execution, including PowerShell scripts, Windows Command Shell, and Visual Basic. T1059
- Credentials from Password Stores: OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access. T1555
- Deobfuscate/Decode Files or Information: OilRig has used tools like certutil to decode base64-encoded files on victims. T1140
- Encrypted Channel: OilRig used the Plink utility and other tools to create tunnels to C2 servers. T1573
- Exfiltration Over Alternative Protocol: OilRig has exfiltrated data over FTP separately from its primary C2 channel over DNS. T1048
- External Remote Services: OilRig uses remote services such as VPN, Citrix, or OWA to persist in an environment. T1133
- Fallback Channels: OilRig malware ISMAgent falls back to its DNS tunneling mechanism if it is unable to reach the C2 server over HTTP. T1008
- Indicator Removal: OilRig has deleted files associated with their payload after execution. T1070
APT34 has exploited several vulnerabilities to compromise their targets. Here are some of the key vulnerabilities:
- CVE-2017-11882: This is a vulnerability in Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 that allows an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory. Microsoft Advisory | NVD
- CVE-2017-0199: This is a vulnerability in Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016, as well as Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 that allows remote attackers to execute arbitrary code via a crafted document, aka “Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API.” Microsoft Advisory | NVD
- CVE-2012-0158: This is a vulnerability in the ListView / TreeView ActiveX controls in the MSCOMCTL.OCX library in Microsoft Office 2003, 2007 and 2010, as well as Microsoft Office 2003 Web Components and Microsoft SQL Server 2000, 2005, 2008 and 2008 R2 allows remote attackers to execute arbitrary code. Microsoft Advisory | NVD
Geographical and Political Targets
The group is believed to have ties to the Iranian government and primarily targets entities that are of strategic importance to Iran’s geopolitical goals. This includes organizations in the Middle East, but also in other parts of the world. The group’s activities align with Iran’s national priorities, and they have been known to target sectors that are consistent with nation-state interests, such as critical infrastructure, energy, and finance.
APT34 is a sophisticated cyber espionage group that is believed to be working on behalf of the Iranian government. The group has been active since at least 2014 and has targeted a variety of industries, primarily in the Middle East. APT34 uses a mix of public and non-public tools and has been able to quickly incorporate exploits for publicly known vulnerabilities into its operations. The group’s use of the Microsoft Office vulnerability CVE-2017-11882 demonstrates its ability to adapt and evolve its tactics to pursue its objectives.
- Microsoft’s official page for CVE-2017-11882
- National Vulnerability Database (NVD) page for CVE-2017-11882
- FireEye’s report on APT34’s use of CVE-2017-11882
- APT34’s use of CVE-2017-0199
- APT34’s use of spear phishing and social engineering
- APT34’s use of POWRUNER and BONDUPDATER