A malicious Word document was used to infect victims' systems by executing hidden scripts and establishing long-term control, allowing for information gathering and data theft.

Who was behind the attack?

The attack was carried out by OilRig (also known as APT34), a cyber-espionage group believed to be backed by the Iranian government.

What was the goal of the attack?

The campaign aimed to steal sensitive data, monitor user activity, and maintain persistent access for extended reconnaissance or future operations.

Organizations in government, finance, energy, telecommunications, manufacturing, and tech sectors were primarily targeted.

How did the attack work?

The attacker tricked users into opening a fake job application document. Once opened, it ran embedded scripts to collect data, log keystrokes, take screenshots, and send the data back to the attackers.

Why are these targets attractive?

These sectors often hold strategic, financial, or technological information valuable for espionage or national advantage.

What should organizations do to protect themselves?

Organizations should monitor for suspicious task scheduling and PowerShell activity, enable security logging, restrict privileges, and keep endpoint protection systems up to date.

Is this a widespread issue or a targeted one?

While the tactics used are sophisticated and targeted, the tools and techniques are becoming more common. All organizations should evaluate their readiness against such methods.

Threats Feed|OilRig|Last Updated 07/04/2025|AuthorCertfa Radar|Publish Date04/04/2023

Breaking Down OilRig's August 2022 Attack: A Detailed Look at Techniques Used

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Keylogger,Malicious Macro,Spear Phishing
Attack Complexity: Medium
Threat Risk: Low Impact/High Probability

Threat Overview

The Iranian state-sponsored threat actor, OilRig, known for targeting global sectors such as Government, Financial Services, Energy, Telecommunications, and Technology, carried out an attack in August 2022 using a malicious Word document. This document contained embedded macros that dropped additional payloads for discovery, collection, and exfiltration routines. The payloads used PowerShell scripts and Windows utilities for information gathering and established persistence with a scheduled task named "WindowsUpdate". OilRig used multiple techniques in this attack such as Process Discovery, System Information Discovery, File and Directory Discovery, System Network Configuration Discovery, and others.

Reference and Credit: AttackIQ - April 2023

Emulating Recent Malicious Activity from the Iranian Adversary OilRig

Detected Targets

Type	Description	Confidence
Sector	Information Technology	High
Sector	Telecommunication	High

FAQs

Understanding the OilRig Attack Simulation

: A malicious Word document was used to infect victims' systems by executing hidden scripts and establishing long-term control, allowing for information gathering and data theft.
: The attack was carried out by OilRig (also known as APT34), a cyber-espionage group believed to be backed by the Iranian government.
: The campaign aimed to steal sensitive data, monitor user activity, and maintain persistent access for extended reconnaissance or future operations.
: Organizations in government, finance, energy, telecommunications, manufacturing, and tech sectors were primarily targeted.
: The attacker tricked users into opening a fake job application document. Once opened, it ran embedded scripts to collect data, log keystrokes, take screenshots, and send the data back to the attackers.
: These sectors often hold strategic, financial, or technological information valuable for espionage or national advantage.
: Organizations should monitor for suspicious task scheduling and PowerShell activity, enable security logging, restrict privileges, and keep endpoint protection systems up to date.
: While the tactics used are sophisticated and targeted, the tools and techniques are becoming more common. All organizations should evaluate their readiness against such methods.

About Affiliation

OilRig

Associate threats