APT34

apt34 · primary source: MITRE · first observed 2013

IR · IranState-sponsoredModerate confidencelast cited Feb 27, 2018 · 8y ago

Iranian state-sponsored actor publicly assessed to operate on behalf of the Iranian government, with persistent targeting of Middle East government, financial, energy, and telecommunications organizations. Known for DNS-tunneling implants and supply-chain compromise against telecom providers as a stepping stone to downstream customers.

Aliases

OilRigOtherHelix KittenCrowdStrikeHazel SandstormMicrosoftEUROPIUMMicrosoftCrambusOther

Motivations

espionage

Target sectors

governmentenergyfinancialtelecommunications

Target countries

SAAEILUSGBKWJO

Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary

APT34
Iran
espionage

Capability

Infrastructure

uber-asia.com

Victim

government
energy
financial
SA
AE
+1 more

MITRE ATT&CK techniques

T1071.004 T1190 T1078.004 T1566.001

Tools & malware

1 entry

MimikatzCredential dumper

Timeline

1 event

ReportMedium2018-02-28·Symantec (Broadcom)
Symantec attributes Middle East telecom intrusions to OilRig
Symantec published a profile linking OilRig (APT34) to a multi-year intrusion campaign against Middle East government and financial-sector targets, including telecom providers used as supply-chain stepping stones to downstream customers.
attributionirantelecommunications

Indicators of compromise

3 indicators

defangedcsv

Type	Value	First seen	Source
SHA-256	26884f872f4fae13da21fa2a24c24e963ee1eb66da47e270246d6d9dc7204c2b family · Saitama Malicious Excel document 'Confirmation Receive Document.xls' used by APT34 to drop the Saitama backdoor in the April 2022 Jordanian Foreign Ministry spearphishing campaign analyzed by Malwarebytes.	Apr 25, 2022	Malwarebytes (ThreatDown)
Domain	uber-asia[.]com family · Saitama DNS-tunneling C2 domain used by APT34's Saitama backdoor per the May 2022 Malwarebytes analysis; one of three actor-controlled domains (alongside asiaworldremit.com and joexpediagroup.com) impersonating legitimate travel and remittance brands.	Apr 25, 2022	Malwarebytes (ThreatDown)
SHA-256	e0872958b8d3824089e5e1cfab03d9d98d22b9bcb294463818d721380075a52d family · Saitama Saitama .NET backdoor payload (update.exe) attributed by Malwarebytes/ThreatDown to APT34 (OilRig / Helix Kitten / Hazel Sandstorm) in a May 2022 spearphishing operation against a Jordanian Ministry of Foreign Affairs official. Saitama uses DNS tunneling for C2.	Apr 25, 2022	Malwarebytes (ThreatDown)

Related actors

shared ATT&CK techniques

CN · ChinaAPT402 shared techniques
- T1078.004
- T1190
RU · RussiaCOLDRIVER2 shared techniques
- T1078.004
- T1566.001
RU · RussiaDragonfly2 shared techniques
- T1190
- T1566.001
RU · RussiaRomCom2 shared techniques
- T1190
- T1566.001
CN · ChinaSalt Typhoon2 shared techniques
- T1078.004
- T1190
KP · DPRKAndariel1 shared technique
- T1190

References

G0049 — OilRig
MITRE ATT&CK

cite this page

Threat Intel Tracker. (2026-05-19). APT34 — actor profile. Retrieved from https://threatintel.local/actors/apt34

latest cited activity · 2018-02-28 · 3 cataloged indicators