A significant data leak revealed internal tools, stolen credentials, and operational infrastructure tied to the OilRig group, a known cyber espionage actor.

Who was behind the attack?

The OilRig group, also known as APT34 or Helix Kitten, is believed to be linked to Iran, based on multiple industry and government reports.

What was the goal of these attacks?

The group aims to gain long-term access to targeted systems for espionage purposes, often stealing credentials and sensitive data.

How many organizations were affected?

At least 97 organizations across 27 countries and 18 industries were identified in the leaked data, with over 13,000 stolen credentials.

What industries were targeted?

The campaign targeted a wide range of sectors, including government, energy, media, transportation, and technology service providers.

How was the attack carried out?

OilRig used stolen credentials, PowerShell backdoors, webshells, DNS hijacking, and lateral movement through corporate networks to gain and maintain access.

Why are these organizations attractive targets?

They hold sensitive information and have access to critical infrastructure—attractive to nation-state actors seeking intelligence or disruption capabilities.

What can organizations do to protect themselves?

Enforce multi-factor authentication, monitor for DNS tunneling, restrict PowerShell, scan for known malware signatures, and educate users on phishing risks.

Is this a targeted or widespread issue?

The campaign is highly targeted but spans many industries and geographies, indicating OilRig's broad scope and persistent interest in strategic sectors.

Threats Feed|OilRig|Last Updated 28/01/2026|AuthorCertfa Radar|Publish Date30/04/2019

OilRig's Global Cyber Offensive: Credential Theft and Persistent Access

Actor Motivations: Espionage,Exfiltration
Attack Vectors: Brute-force,Credential stuffing,Compromised Credentials,SQL injection,Vulnerability Exploitation,DNS spoofing,Backdoor,Fileless malware
Attack Complexity: High
Threat Risk: High Impact/High Probability

Threat Overview

The OilRig group has been actively targeting various sectors, including government, media, energy, and technology across 27 countries. The group has stolen nearly 13,000 credentials, deployed over 100 webshells, and maintained backdoor access to compromised hosts. Techniques include credential dumping with Mimikatz, DNS hijacking, and using PowerShell-based tools like Glimpse and Poison Frog. Their operations involve SQL injections, exploiting public-facing applications, and leveraging webshells for persistent access. The group's sophisticated TTPs underline their persistent threat to diverse industry verticals.

Reference and Credit: Palo Alto Network - April 2019

Behind the Scenes with OilRig

Detected Targets

Type	Description	Confidence
Sector	Government Agencies and Services	Verified
Sector	Information Technology	Verified
Sector	Logistics	Verified
Sector	Energy	Verified
Sector	Media	Verified
Sector	Transportation	Verified
Region	Albania	Verified
Region	Bahrain	Verified
Region	Cambodia	Verified
Region	China	Verified
Region	Egypt	Verified
Region	Hong Kong	Verified
Region	Iraq	Verified
Region	Israel	Verified
Region	Jordan	Verified
Region	Kazakhstan	Verified
Region	Kuwait	Verified
Region	Lebanon	Verified
Region	Macau	Verified
Region	Mexico	Verified
Region	Mongolia	Verified
Region	Nigeria	Verified
Region	Oman	Verified
Region	Palestine	Verified
Region	Qatar	Verified
Region	Saudi Arabia	Verified
Region	South Korea	Verified
Region	Taiwan	Verified
Region	Thailand	Verified
Region	Turkey	Verified
Region	United Arab Emirates	Verified
Region	Zimbabwe	Verified
Region	Middle East Countries	Verified

Extracted IOCs

msoffice-cdn[.]com
myleftheart[.]com
office365-management[.]com
0f20995d431abce885b8bd7dec1013cc1ef7c73886029c67df53101ea330436c
11f66b55f3d24303621e5ef9565b02a576cc58bc5f8789cae96c3d400064b90e
1fb69090be8a2e11eeb220b26ee5eddf1e3fe81ffa59c47d47d01bf90c2b080c
22c4023c8daa57434ef79b838e601d9d72833fec363340536396fe7d08ee2017
27e03b98ae0f6f2650f378e9292384f1350f95ee4f3ac009e0113a8d9e2e14ed
3ca3a957c526eaeabcf17b0b2cd345c0fffab549adfdf04470b6983b87f7ec62
54c8bfa0be1d1419bf0770d49e937b284b52df212df19551576f73653a7d061f
5f42deb792d8d6f347c58ddbf634a673b3e870ed9977fdd88760e38088cd7336
691801e3583991a92a2ad7dfa8a85396a97acdf8a0054f3edffd94fc1ad58948
903b6d948c16dc92b69fe1de76cf64ab8377893770bf47c29bf91f3fd987f996
995ea68dcf27c4a2d482b3afadbd8da546d635d72f6b458557175e0cb98dd999
9ba9bc08259afeef36d2689ef1b5f71ca231d7e590901fa56e69e2c9758a07ef
a6a0fbfee08367046d3d26fb4b4cf7779f7fb6eaf7e60e1d9b6bf31c5be5b63e
c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e
d2b835b102117e327fdc4905ead24d45f46e82dd5ae525e90cca0a685d307619
dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229
e483eee77fcc5ef11d5bf33a4179312753b62ec9a247dd14528cc797e7632d99
fe1b011fe089969d960d2dce2a61020725a02e15dbc812ee6b6ecc6a98875392
fe9cdef3c88f83b74512ec6400b7231d7295bda78079b116627c4bc9b7a373e0
142[.]234.157.21
164[.]132.67.216
185[.]161.209.57
185[.]161.210.25
185[.]162.235.106
185[.]162.235.121
185[.]162.235.29
185[.]36.191.31
193[.]111.152.13
212[.]32.226.245

download

Tip: 32 related IOCs (10 IP, 3 domain, 0 URL, 0 email, 19 file hash) to this threat have been found.

Overlaps

ITG13ZeroCleare Wiper Targets Middle Eastern Energy Sector in Destructive Cyberattack

Source: IBM - December 2019

Detection (one case): 193[.]111.152.13

APT34Leaked Toolkit Exposes APT34’s Sophisticated Cyberattacks

Source: NSFOCUS - November 2019

Detection (seven cases): 27e03b98ae0f6f2650f378e9292384f1350f95ee4f3ac009e0113a8d9e2e14ed, 3ca3a957c526eaeabcf17b0b2cd345c0fffab549adfdf04470b6983b87f7ec62, a6a0fbfee08367046d3d26fb4b4cf7779f7fb6eaf7e60e1d9b6bf31c5be5b63e, c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e, dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229, fe1b011fe089969d960d2dce2a61020725a02e15dbc812ee6b6ecc6a98875392, myleftheart[.]com

OilRigUnraveling PoisonFrog: DNS Tunneling Tactics of OilRig Explored

Source: IronNet - September 2019

Detection (one case): myleftheart[.]com

APT34Cyber-Espionage in the Middle East: A Deep Dive into APT34's Operations

Source: Cyware - August 2019

Detection (six cases): 27e03b98ae0f6f2650f378e9292384f1350f95ee4f3ac009e0113a8d9e2e14ed, 3ca3a957c526eaeabcf17b0b2cd345c0fffab549adfdf04470b6983b87f7ec62, a6a0fbfee08367046d3d26fb4b4cf7779f7fb6eaf7e60e1d9b6bf31c5be5b63e, c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e, dd6d7af00ef4ca89a319a230cdd094275c3a1d365807fe5b34133324bdaa0229, fe1b011fe089969d960d2dce2a61020725a02e15dbc812ee6b6ecc6a98875392

APT34APT34 Leak Exposes Espionage Tools and Tactics of Iranian Cyber Actors

Source: APT34 / OILRIG Leak, Quick Analysis - April 2019

OilRigDecoding OilRig's New Cyberthreat: How OopsIE Trojan Targeted Middle East Organizations

Source: Palo Alto Networks - February 2018

Detection (three cases): 185[.]162.235.29, msoffice-cdn[.]com, office365-management[.]com

OilRigInside OilRig's Attack on UAE Government: ISMInjector and CVE-2017-0199 Exploit in Play

Source: Palo Alto Networks - October 2017

Detection (two cases): msoffice-cdn[.]com, office365-management[.]com

GreenbugThe Base64 Disguise: How GreenBug's Trojan ISMAgent Evades Detection

Source: ClearSky - August 2017

Detection (two cases): 185[.]162.235.121, msoffice-cdn[.]com

UnknownTwoFace Webshell: Persistent Threat in Middle Eastern Networks

Source: Palo Alto Networks - July 2017

Detection (one case): 54c8bfa0be1d1419bf0770d49e937b284b52df212df19551576f73653a7d061f

OilRigOilRig Campaign: Malware Updates and Expanded Global Targets

Source: Palo Alto Networks - October 2016

Detection (one case): 903b6d948c16dc92b69fe1de76cf64ab8377893770bf47c29bf91f3fd987f996

Hint: Overlaps are extracted automatically by examining the IOCs associated with all indexed threats and actors.

FAQs

Understanding the OilRig Data Leak

: A significant data leak revealed internal tools, stolen credentials, and operational infrastructure tied to the OilRig group, a known cyber espionage actor.
: The OilRig group, also known as APT34 or Helix Kitten, is believed to be linked to Iran, based on multiple industry and government reports.
: The group aims to gain long-term access to targeted systems for espionage purposes, often stealing credentials and sensitive data.
: At least 97 organizations across 27 countries and 18 industries were identified in the leaked data, with over 13,000 stolen credentials.
: The campaign targeted a wide range of sectors, including government, energy, media, transportation, and technology service providers.
: OilRig used stolen credentials, PowerShell backdoors, webshells, DNS hijacking, and lateral movement through corporate networks to gain and maintain access.
: They hold sensitive information and have access to critical infrastructure—attractive to nation-state actors seeking intelligence or disruption capabilities.
: Enforce multi-factor authentication, monitor for DNS tunneling, restrict PowerShell, scan for known malware signatures, and educate users on phishing risks.
: The campaign is highly targeted but spans many industries and geographies, indicating OilRig's broad scope and persistent interest in strategic sectors.

About Affiliation

OilRig

Associate threats