OilRig, also known as APT34, conducted global cyber campaigns using phishing, malware, and supply chain attacks to compromise high-value sectors. AttackIQ released simulations of these attacks to help organizations test their defenses.

Who was behind the attack?

OilRig is believed to be an Iranian state-sponsored hacking group, active since at least 2012, focusing on strategic sectors that align with Iran's national interests.

What was the goal of the attack?

The attackers aimed to steal sensitive information, maintain long-term access to networks, and in some cases cause destruction through wiper malware.

Which industries were targeted?

The attacks targeted governments, financial institutions, energy companies, manufacturers, telecoms, and tech firms worldwide.

How was the attack carried out?

OilRig used phishing on platforms like LinkedIn, malware like Tonedeaf and QuadAgent, credential theft tools, and covert data exfiltration methods over common internet protocols like HTTP and DNS.

Why were these industries targeted?

These sectors hold valuable intellectual property, sensitive financial data, and government information that can be exploited for political, military, or economic gain.

How can organizations protect themselves?

Organizations should strengthen phishing defenses, monitor for scheduled task abuse, inspect DNS traffic for anomalies, enforce multi-factor authentication, and validate their security controls against these attack patterns.

Is this a widespread issue or a targeted one?

This campaign represents a targeted effort against specific sectors but uses techniques that could potentially impact any organization with weak defenses.

Threats Feed|OilRig|Last Updated 23/04/2025|AuthorCertfa Radar|Publish Date11/07/2022

OilRig Campaigns: Phishing and PowerShell Attacks on Global Sectors

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Backdoor,Keylogger,Malware,Phishing,Spear Phishing,Supply Chain Compromise
Attack Complexity: Medium
Threat Risk: High Impact/High Probability

Threat Overview

AttackIQ has released attack graphs emulating OilRig’s operations against global sectors, based on reports from Mandiant, Intezer, and Palo Alto Networks. The 2020 social media phishing campaign used LinkedIn to distribute malicious documents, leading to the Tonedeaf backdoor installation, persistence via scheduled tasks, and credential dumping with tools like LaZagne. The 2018 QuadAgent campaign targeted technology service providers and government agencies with PowerShell malware, establishing persistence, and utilizing multi-channel command-and-control communication, including SSL, HTTP, and DNS.

Reference and Credit: AttackIQ - July 2022

OilRig Attack Graphs: Emulating the Iranian Threat Actor’s Global Campaigns

Detected Targets

Type	Description	Confidence
Sector	Financial	Verified
Sector	Government Agencies and Services	Verified
Sector	Information Technology	Verified
Sector	Manufacturing	Verified
Sector	Energy	Verified
Sector	Telecommunication	Verified
Sector	Utilities	Verified
Region	Middle East Countries	High

FAQs

Understanding the OilRig Threat Campaigns

: OilRig, also known as APT34, conducted global cyber campaigns using phishing, malware, and supply chain attacks to compromise high-value sectors. AttackIQ released simulations of these attacks to help organizations test their defenses.
: OilRig is believed to be an Iranian state-sponsored hacking group, active since at least 2012, focusing on strategic sectors that align with Iran's national interests.
: The attackers aimed to steal sensitive information, maintain long-term access to networks, and in some cases cause destruction through wiper malware.
: The attacks targeted governments, financial institutions, energy companies, manufacturers, telecoms, and tech firms worldwide.
: OilRig used phishing on platforms like LinkedIn, malware like Tonedeaf and QuadAgent, credential theft tools, and covert data exfiltration methods over common internet protocols like HTTP and DNS.
: These sectors hold valuable intellectual property, sensitive financial data, and government information that can be exploited for political, military, or economic gain.
: Organizations should strengthen phishing defenses, monitor for scheduled task abuse, inspect DNS traffic for anomalies, enforce multi-factor authentication, and validate their security controls against these attack patterns.
: This campaign represents a targeted effort against specific sectors but uses techniques that could potentially impact any organization with weak defenses.

About Affiliation

OilRig

Associate threats