05 Oilrig

Oilrig

Region

Europe,

Middle East and Africa,

North America

Industries

Energy & Utilities,

Financial Services,

Government,

Healthcare,

Telecom

First seen

2014

Cybercrime

Intelligence gathering and cyberespionage, employing custom backdoors to facilitate their operations

Heritage

Part of Iran’s broader cyber warfare apparatus

Categorizations

Nation-state adversary

Aliases

Twisted Kitten, Crumbus, APT34, Cobalt Gypsy, Helix Kitten, Chrysene, TA452, GreenBug, nobody.gu3st, Evasive Serpens , IRN2, Hazel Sandstorm, EUROPIUM, Crambus, ITG13, Yellow Maero, ATK40, DEV-0861, G0049, Scarred Manticore, Storm-0861

About

OilRig is an Iranian state-sponsored cyber espionage group that’s been active for over a decade. While these Masked Actors operate independently, there may be overlaps with other Iranian APT groups. Attacks often begin with spearheaded phishing emails, typically disguised as personalized job applications or business documents. OilRig’s operations are increasingly sophisticated, frequently exploiting vulnerabilities to gain access to intelligence.

Learn more about Oilrig from Group-IB’s research

Catching fish in muddy waters

We find many things that others do not even see

Victims

This group’s cybercrime campaigns have affected numerous organizations across the Middle East and occasionally beyond. They target a range of sectors, including finance, energy, telecommunications, chemical, and government.

What we know about Oilrig members

No known identities. However, we believe the group operates under Iran’s Ministry of Intelligence and Security (MOIS) — suggesting members are Iranian nationals.

Motivations

Primarily cyber espionage to support Iranian national interests. But compromised information can lead to significant economic issues for organizations too.