Fireeye believe APT34 is involved in a long-term cyber espionage operation largely focused on reconnaissance efforts to benefit Iranian nation-state interests and has been operational since at least 2014. We assess that APT34 works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.
Name: OilRig (Palo Alto) APT 34 (FireEye) Helix Kitten (CrowdStrike) Twisted Kitten (CrowdStrike) Crambus (Symantec) Chrysene (Dragos) Cobalt Gypsy (SecureWorks) TA452 (Proofpoint) IRN2 (Area 1) ATK 40 (Thales) ITG13 (IBM)
Location: Iran
Suspected attribution: State-sponsored
Date of initial activity: 2014
Targets: Private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists
Motivation: Espionage
Associated tools: Glimpse, Helminth, Jason, MacDownloader, PoisonFrog, PupyRAT, RGDoor, ThreeDollars, TinyZbot, Toxocara, Trichuris, TwoFace, Webmask, ZeroCleare, Living off the Land.
Attack vectors: Shamoon Attacks: W32.Disttrack is a new threat that is being used in specific targeted attacks against at least one organization in the energy sector. It is a destructive malware that corrupts files on a compromised computer and overwrites the MBR (Master Boot Record) in an effort to render a computer unusable. Target: Saudi Aramco and Rasgas.
How they work: In its latest campaign, APT34 leveraged the recent Microsoft Office vulnerability CVE-2017-11882 to deploy POWRUNER and BONDUPDATER.
COBALT GYPSY has been active since at least 2015, targeting MENA-based or affiliated organizations in the telecommunications, government, defense, oil and financial services verticals. CTU researchers assess with moderate confidence that COBALT GYPSY operates on behalf of Iran. The group often uses spearphishing, with academic or employment related themes, to infect targets, many of whom are identified and approached via social media sites. COBALT GYPSY also performs broad phishing operations against global government, energy, oil/gas, aviation, and nuclear organizations, as well as against defense contractors. The group has deployed a range of custom remote access trojans (Helminth, Toxocara, Trichuris) and webshells (TwoFace, ThreeDollars). CTU researchers track a number of related but distinct groups with tradecraft or infrastructure similarities to COBALT GYPSY. These groups include COBALT EDGEWATER, COBALT KATANA and COBALT LYCEUM.