OilRig is the name given by Palo Alto Networks' Unit 42 to a state-aligned cyber-espionage group active since at least 2014 and widely assessed by private threat-intelligence firms to operate on behalf of the Iranian government. The group is tracked under several overlapping aliases, including APT34 (Mandiant/FireEye), Helix Kitten (CrowdStrike), and Cobalt Gypsy (SecureWorks). MITRE ATT&CK catalogues OilRig as Group G0049.
Operationally, OilRig focuses on long-term intelligence collection rather than destructive attacks. Its targeting set has emphasized Middle Eastern governments, militaries, energy companies, telecommunications providers, and financial institutions, with secondary interest in entities in the United States, the United Kingdom, Israel, and Turkey. Typical initial access vectors include spear-phishing with weaponized Microsoft Office documents, credential harvesting through fake VPN and webmail portals, and compromise of trusted third parties for supply-chain-style access.
The group is known for a steadily evolving custom toolkit. Publicly documented malware families linked to OilRig include Helminth, QUADAGENT, BONDUPDATER, OopsIE, RDAT, and Karkoff, as well as the DNSpionage campaign disclosed by Cisco Talos in 2018. Several OilRig tools have used DNS tunneling and steganography for command-and-control to evade network monitoring.
In March and April 2019, a leaker using the handle Lab Dookhtegan published portions of OilRig's source code, infrastructure lists, and alleged operator identities on Telegram, providing one of the most detailed public windows into an Iranian offensive cyber program. Researchers have since continued to track new OilRig-attributed campaigns, including activity against Middle Eastern government ministries reported by ESET and Trend Micro in 2022 and 2023.
For policy researchers, OilRig is frequently cited in discussions of state-sponsored cyber norms, sanctions on Iranian cyber actors, and the blurred line between intelligence services and contracted operators. Attribution remains based on private-sector analysis; the Iranian government has not acknowledged the group.
Example
In 2018, Cisco Talos linked OilRig-associated operators to the DNSpionage campaign, which compromised government and telecom entities in Lebanon and the United Arab Emirates through fake job-recruitment websites.
Frequently asked questions
Private threat-intelligence firms including Palo Alto Networks Unit 42, Mandiant, and CrowdStrike attribute OilRig to Iran. The Iranian government has not confirmed any link.
Keep learning