AI Draft ACTIVE

APT34 / OilRig

Also known as: APT34, OilRig, Helix Kitten, Hazel Sandstorm, EUROPIUM, ITG13, Earth Simnavaz, Crambus, TA452
Affiliation Iran (suspected)
Motivation Espionage
Status active
Country Iran
First Seen 2014
Target Sectors Government, Financial, Energy, Chemical, Telecommunications
Target Geographies Middle East, United States, Europe

Executive Summary

APT34 (also tracked as OilRig) is a suspected Iranian threat group that MITRE ATT&CK assesses as active since at least 2014. The group targets organizations in the Middle East and internationally, with documented victim sectors including government, financial, energy, chemical, and telecommunications. MITRE notes the group appears to carry out supply-chain attacks leveraging organizational trust relationships.

APT34 and OilRig were previously tracked as separate activity sets by different vendors. MITRE ATT&CK combined them following reporting that gave higher confidence about the overlap between the two clusters. The group is tracked under multiple designations across the security research community, reflecting independent vendor analysis of overlapping intrusion activity.

Notable Campaigns

2017–2018 — Middle East Targeted Intrusions

Mandiant documented targeted attack activity against Middle Eastern organizations attributed to APT34. The reported delivery chain used spearphishing emails containing malicious Microsoft Office documents exploiting CVE-2017-11882, a Microsoft Office memory corruption vulnerability. The intrusion chain incorporated POWRUNER and POWERSTATS, custom PowerShell-based implants used for command-and-control and post-compromise operations.

Technical Capabilities

APT34 has used custom PowerShell-based implant tooling across documented intrusion chains. Mandiant reported the POWRUNER and POWERSTATS malware families as part of the group’s delivery chain in Middle East targeting operations. These tools used PowerShell for execution and HTTP-based channels for command-and-control communications.

MITRE ATT&CK documents APT34 using spearphishing attachments as a primary initial access vector, typically leveraging malicious Microsoft Office documents. The group is reported to conduct supply-chain attacks that exploit organizational trust relationships to gain footholds in target environments, per MITRE’s assessment.

Attribution

MITRE ATT&CK categorizes this group as G0049 and describes it as a suspected Iranian threat group. Mandiant has assessed APT34 as a suspected Iranian threat group targeting entities in the Middle East and internationally, with victim profiles consistent with state intelligence collection priorities.

MITRE ATT&CK lists aliases including Hazel Sandstorm and EUROPIUM for G0049. Cross-vendor naming conventions can reflect overlapping but potentially distinct intrusion sets.

MITRE and Mandiant independently assess Iranian state affiliation based on targeting patterns, tooling, and operational focus. No formal government indictment or specific Iranian government unit designation for APT34/OilRig has been publicly issued.

MITRE ATT&CK Profile

APT34 employs a range of techniques documented across MITRE ATT&CK v19.

Initial Access: Spearphishing with malicious attachments (T1566.001) is the primary documented delivery method, with Mandiant reporting use of Office document exploits including CVE-2017-11882 against Middle Eastern targets.

Execution: Custom PowerShell implants (T1059.001), specifically POWRUNER and POWERSTATS, are core to documented APT34 intrusion chains per Mandiant reporting, providing payload execution and C2 interaction.

Command and Control: Web protocol-based C2 (T1071.001) over HTTP and HTTPS is documented in APT34 malware tooling per MITRE. Ingress tool transfer (T1105) is documented for staging additional payloads following initial compromise.

Sources & References

Known Tools

POWRUNERPOWERSTATS
nation-stateiranespionageapt34oilrigmiddle-eastenergygovernment