APT34
APT34, also known as OilRig or HELIX KITTEN, is an Iranian state-sponsored cyber-espionage group active since at least 2014, known for targeting organizations across the Middle East and beyond using sophisticated spear-phishing campaigns and custom malware.
The origin of APT34
APT34 (also known as OilRig, HELIX KITTEN, CHRYSENE, and COBALT GYPSY) is an Iranian state-sponsored Advanced Persistent Threat (APT) group active since at least 2014. The group is assessed to operate on behalf of the Iranian Ministry of Intelligence and Security (MOIS). APT34 is primarily focused on fulfilling Iranian geopolitical intelligence objectives across the Middle East, North Africa (MENA), and parts of Eurasia. Known for its sophisticated custom toolsets, DNS hijacking capabilities, and strategic spear-phishing campaigns, APT34 often leverages social engineering and publicly available tools to access and persist in targeted networks.
Countries targeted by APT34
APT34 operations primarily focus on countries in the Middle East and Eastern Eurasia, including Saudi Arabia, UAE, Israel, Jordan, Lebanon, Iraq, Bahrain, Kuwait, Yemen, Syria, and Qatar. Their reach also extends to South Africa, Turkey, Azerbaijan, and Mauritius, indicating a broadening regional interest and an effort to gather intelligence beyond the immediate neighborhood.
Industries targeted by APT34
APT34 targets a wide range of sectors, especially those that align with national interest intelligence collection. These include academic institutions, energy (especially oil and gas), manufacturing, financial services, telecommunications, and government entities. Additionally, organizations within the technology, military, media, law enforcement, and chemical industries are frequently targeted, often as part of broader surveillance or disruption campaigns.
APT34's victims
Notable operations have included the compromise of Israeli human resources and job portals to establish Command and Control (C2) infrastructure, and reconnaissance activities targeting organizations in Jordan and Syria using open-source vulnerability scanners. The group has a history of supply chain compromises, abusing trust relationships to pivot into higher-value targets within government or critical infrastructure sectors.
APT34's attack method
APT34 typically uses spear-phishing emails (sometimes from compromised accounts) as well as LinkedIn messages to deliver payloads. They also set up fake VPN or job-related websites to lure victims.
They exploit vulnerabilities like CVE-2024-30088 and use credential dumping tools (e.g., Mimikatz) to gain SYSTEM or domain-level access.
APT34 evades detection through obfuscation, use of signed malware, disabling of system firewalls, and indicator removal techniques.
Tools such as LaZagne, PICKPOCKET, and VALUEVAULT are used to dump credentials from browsers, LSASS memory, and Windows Credential Manager.
They perform extensive reconnaissance using tools like SoftPerfect Network Scanner, WMI, and various scripts to query registry, user accounts, and services.
Using valid accounts, RDP, VPN, Plink, and SSH, they pivot across systems and move through networks undetected.
APT34 uses keyloggers, clipboard data stealers, browser data extractors, and automated tools to collect credentials and sensitive files.
Payloads are executed via PowerShell, VBScript macros, batch files, WMI, and HTML Help (CHM) files.
Data is exfiltrated using HTTP, DNS tunneling, FTP, and even via compromised email accounts.
The primary objective is data theft rather than destruction. Their impact is strategic, focusing on intelligence collection rather than sabotage.
APT34 typically uses spear-phishing emails (sometimes from compromised accounts) as well as LinkedIn messages to deliver payloads. They also set up fake VPN or job-related websites to lure victims.
They exploit vulnerabilities like CVE-2024-30088 and use credential dumping tools (e.g., Mimikatz) to gain SYSTEM or domain-level access.
APT34 evades detection through obfuscation, use of signed malware, disabling of system firewalls, and indicator removal techniques.
Tools such as LaZagne, PICKPOCKET, and VALUEVAULT are used to dump credentials from browsers, LSASS memory, and Windows Credential Manager.
They perform extensive reconnaissance using tools like SoftPerfect Network Scanner, WMI, and various scripts to query registry, user accounts, and services.
Using valid accounts, RDP, VPN, Plink, and SSH, they pivot across systems and move through networks undetected.
APT34 uses keyloggers, clipboard data stealers, browser data extractors, and automated tools to collect credentials and sensitive files.
Payloads are executed via PowerShell, VBScript macros, batch files, WMI, and HTML Help (CHM) files.
Data is exfiltrated using HTTP, DNS tunneling, FTP, and even via compromised email accounts.
The primary objective is data theft rather than destruction. Their impact is strategic, focusing on intelligence collection rather than sabotage.
TTPs used by APT34
How to Detect APT34 with Vectra AI
List of the Detections available in the Vectra AI Platform that would indicate an APT attack.
FAQs
Who is behind APT34?
APT34 is believed to operate under Iran’s Ministry of Intelligence and Security (MOIS), focusing on cyber-espionage in line with state interests.
What are APT34’s most common initial access methods?
Primarily spear-phishing emails, compromised websites, and social media engagement, including LinkedIn-based phishing.
What types of malware does APT34 use?
Custom malware like Helminth, SaitamaAgent, AgentDrable, EarthquakeRAT, and various web shells (TwoFace, IntrudingDivisor).
How does APT34 maintain persistence in victim networks?
Through scheduled tasks, abuse of Outlook Home Page, and remote access tools like ngrok and VPN software.
How does APT34 exfiltrate data?
Via HTTP/DNS channels, FTP, or even sending data through compromised email accounts.
What vulnerabilities has APT34 exploited in the wild?
CVEs include CVE-2017-0199, CVE-2017-11882, CVE-2020-0688, CVE-2018-15982, and CVE-2024-30088.
What tools are used for credential access?
Tools include Mimikatz, LaZagne, VALUEVAULT, and browser-based data dumpers like CDumper and EDumper.
How can organizations detect APT34 activity?
Monitor for PowerShell misuse, unusual DNS tunneling, suspicious Outlook Home Page registry changes, and unexpected VPN connections.
What is the best way to respond to an APT34 intrusion?
Isolate affected systems, audit for credential reuse, remove persistence mechanisms, and analyze logs for C2 traffic patterns (e.g., unusual HTTP POSTs or DNS queries).
What detection solutions are effective against APT34?
Network Detection and Response (NDR) solutions are highly effective against APT34, offering deep visibility into east-west traffic, detecting stealthy techniques like DNS tunneling and protocol abuse. When combined with Endpoint Detection and Response (EDR) for PowerShell and WMI monitoring, and SIEM for correlating privilege escalation and lateral movement behaviors, organizations can establish a comprehensive, layered defense.