Introduction
OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests. FireEye APT34 Dec 2017 Palo Alto OilRig April 2017 ClearSky OilRig Jan 2017 Palo Alto OilRig May 2016 Palo Alto OilRig Oct 2016 Unit42 OilRig Playbook 2023 Unit 42 QUADAGENT July 2018
Activities and Tactics
Targeted Sectors: Energy, Government, Telecommunications, Chemical, Engineering, Finance, Government, Administration, Telecoms, Other, Private sector, Civil society
Country of Origin: 🇮🇷 Iran
Risk Level: High
First Seen: 2014
Last Activity: 2024
Incident Type: Espionage
Suspected Victims: Israel, Kuwait, United States, Turkey, Saudi Arabia, Qatar, Lebanon, Middle East
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
Information pending cataloguing.
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
Information pending cataloguing.
Attribution and Evidence
Country of Origin: Iran Additional attribution information pending cataloguing.
References
[1] MITRE ATT&CK MITRE ATT&CK entry [2] FireEye APT34 Dec 2017 [3] Palo Alto OilRig April 2017 [4] ClearSky OilRig Jan 2017 [5] Palo Alto OilRig May 2016 [6] Palo Alto OilRig Oct 2016 [7] Unit42 OilRig Playbook 2023 [8] Unit 42 QUADAGENT July 2018