Masked Actors Masked Actors Masked Actors
GROUP-IB.COM

Oilrig

Oilrig

About

OilRig is an Iranian state-sponsored cyber espionage group that’s been active for over a decade. While these Masked Actors operate independently, there may be overlaps with other Iranian APT groups. Attacks often begin with spearheaded phishing emails, typically disguised as personalized job applications or business documents. OilRig’s operations are increasingly sophisticated, frequently exploiting vulnerabilities to gain access to intelligence.

Known aliases
Twisted Kitten, Crumbus, APT34, Cobalt Gypsy, Helix Kitten, Chrysene, TA452, GreenBug, nobody.gu3st, Evasive Serpens , IRN2, Hazel Sandstorm, EUROPIUM, Crambus, ITG13, Yellow Maero, ATK40, DEV-0861, G0049, Scarred Manticore, Storm-0861
Active since
2014 
Primary targets
Intelligence gathering and cyberespionage, employing custom backdoors to facilitate their operations
Motivation
Primarily cyber espionage to support Iranian national interests. But compromised information can lead to significant economic issues for organizations too.
Heritage
Part of Iran’s broader cyber warfare apparatus
Learn more about Oilrig from Group-IB’s research
Blog "Catching fish in muddy waters"
Blog "We find many things that others do not even see"
Podcast "MuddyWater & OilRig: The Cyber Espionage Playbook"
Victims

This group’s cybercrime campaigns have affected numerous organizations across the Middle East and occasionally beyond. They target a range of sectors, including finance, energy, telecommunications, chemical, and government.

What we know about Oilrig members

No known identities. However, we believe the group operates under Iran’s Ministry of Intelligence and Security (MOIS) — suggesting members are Iranian nationals.

Other Masked Actors
RansomHub
GoldFactory
GoldFactory
Lazarus
Lazarus
DragonForce
MuddyWater
MuddyWater
Brain Cipher
Boolka
Ajina
Team TNT