OilRig's Global Cyber Offensive: Credential Theft and Persistent Access
- Actor Motivations: Espionage,Exfiltration
- Attack Vectors: Brute-force,Credential stuffing,Compromised Credentials,SQL injection,Vulnerability Exploitation,DNS spoofing,Backdoor,Fileless malware
- Attack Complexity: High
- Threat Risk: High Impact/High Probability
Threat Overview
The OilRig group has been actively targeting various sectors, including government, media, energy, and technology across 27 countries. The group has stolen nearly 13,000 credentials, deployed over 100 webshells, and maintained backdoor access to compromised hosts. Techniques include credential dumping with Mimikatz, DNS hijacking, and using PowerShell-based tools like Glimpse and Poison Frog. Their operations involve SQL injections, exploiting public-facing applications, and leveraging webshells for persistent access. The group's sophisticated TTPs underline their persistent threat to diverse industry verticals.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Sector | Government Agencies and Services | Verified |
| Sector | Information Technology | Verified |
| Sector | Logistics | Verified |
| Sector | Energy | Verified |
| Sector | Media | Verified |
| Sector | Transportation | Verified |
| Region | Albania | Verified |
| Region | Bahrain | Verified |
| Region | Cambodia | Verified |
| Region | China | Verified |
| Region | Egypt | Verified |
| Region | Hong Kong | Verified |
| Region | Iraq | Verified |
| Region | Israel | Verified |
| Region | Jordan | Verified |
| Region | Kazakhstan | Verified |
| Region | Kuwait | Verified |
| Region | Lebanon | Verified |
| Region | Macau | Verified |
| Region | Mexico | Verified |
| Region | Mongolia | Verified |
| Region | Nigeria | Verified |
| Region | Oman | Verified |
| Region | Palestine | Verified |
| Region | Qatar | Verified |
| Region | Saudi Arabia | Verified |
| Region | South Korea | Verified |
| Region | Taiwan | Verified |
| Region | Thailand | Verified |
| Region | Turkey | Verified |
| Region | United Arab Emirates | Verified |
| Region | Zimbabwe | Verified |
| Region | Middle East Countries | Verified |
Extracted IOCs
- msoffice-cdn[.]com
- myleftheart[.]com
- office365-management[.]com
- 0f20995d431abce885b8bd7dec1013cc1ef7c73886029c67df53101ea330436c
- 11f66b55f3d24303621e5ef9565b02a576cc58bc5f8789cae96c3d400064b90e
- 1fb69090be8a2e11eeb220b26ee5eddf1e3fe81ffa59c47d47d01bf90c2b080c
- 22c4023c8daa57434ef79b838e601d9d72833fec363340536396fe7d08ee2017
- 27e03b98ae0f6f2650f378e9292384f1350f95ee4f3ac009e0113a8d9e2e14ed
- 3ca3a957c526eaeabcf17b0b2cd345c0fffab549adfdf04470b6983b87f7ec62
- 54c8bfa0be1d1419bf0770d49e937b284b52df212df19551576f73653a7d061f
- 5f42deb792d8d6f347c58ddbf634a673b3e870ed9977fdd88760e38088cd7336
- 691801e3583991a92a2ad7dfa8a85396a97acdf8a0054f3edffd94fc1ad58948
- 903b6d948c16dc92b69fe1de76cf64ab8377893770bf47c29bf91f3fd987f996
- 995ea68dcf27c4a2d482b3afadbd8da546d635d72f6b458557175e0cb98dd999
- 9ba9bc08259afeef36d2689ef1b5f71ca231d7e590901fa56e69e2c9758a07ef
- a6a0fbfee08367046d3d26fb4b4cf7779f7fb6eaf7e60e1d9b6bf31c5be5b63e
- c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e
- d2b835b102117e327fdc4905ead24d45f46e82dd5ae525e90cca0a685d307619
- dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229
- e483eee77fcc5ef11d5bf33a4179312753b62ec9a247dd14528cc797e7632d99
- fe1b011fe089969d960d2dce2a61020725a02e15dbc812ee6b6ecc6a98875392
- fe9cdef3c88f83b74512ec6400b7231d7295bda78079b116627c4bc9b7a373e0
- 142[.]234.157.21
- 164[.]132.67.216
- 185[.]161.209.57
- 185[.]161.210.25
- 185[.]162.235.106
- 185[.]162.235.121
- 185[.]162.235.29
- 185[.]36.191.31
- 193[.]111.152.13
- 212[.]32.226.245
Tip: 32 related IOCs (10 IP, 3 domain, 0 URL, 0 email, 19 file hash) to this threat have been found.
FAQs
Understanding the OilRig Data Leak
A significant data leak revealed internal tools, stolen credentials, and operational infrastructure tied to the OilRig group, a known cyber espionage actor.
The OilRig group, also known as APT34 or Helix Kitten, is believed to be linked to Iran, based on multiple industry and government reports.
The group aims to gain long-term access to targeted systems for espionage purposes, often stealing credentials and sensitive data.
At least 97 organizations across 27 countries and 18 industries were identified in the leaked data, with over 13,000 stolen credentials.
The campaign targeted a wide range of sectors, including government, energy, media, transportation, and technology service providers.
OilRig used stolen credentials, PowerShell backdoors, webshells, DNS hijacking, and lateral movement through corporate networks to gain and maintain access.
They hold sensitive information and have access to critical infrastructure—attractive to nation-state actors seeking intelligence or disruption capabilities.
Enforce multi-factor authentication, monitor for DNS tunneling, restrict PowerShell, scan for known malware signatures, and educate users on phishing risks.
The campaign is highly targeted but spans many industries and geographies, indicating OilRig's broad scope and persistent interest in strategic sectors.