APT34, aka OilRig, is intensifying attacks on critical infrastructure and industries. This article covers their latest tactics and offers strategies for security teams to defend effectively.
For more than a decade, APT34, also known as OilRig, has been on the global radar as an Advanced Persistent Threat (APT) group with suspected ties to the Iranian government. Since 2014, they’ve been relentlessly targeting high-risk sectors like financial institutions, energy companies, telecommunications, and critical national infrastructure (CNI).
While their main focus has been the Gulf region, their ambitions have expanded, with attacks reaching Europe and the USA.
Recent industry intelligence shows that APT34 is escalating efforts against CNI and government resources. As their tactics evolve, it’s crucial for security operations (SOC) teams to stay one step ahead, keeping defences adaptable and proactive to counter these growing threats.
New tactics and evolving campaigns
APT34 have been adapting their methods, continually evolving to stay ahead of security defences. Below, we outline some of their latest tactics and how they’re enhancing their capabilities.
Targeting critical infrastructure
APT34 is increasing its focus on high-value targets, particularly critical infrastructure in the Gulf region.
They’ve intensified campaigns targeting key infrastructure sectors like energy and government resources, reflecting an escalated intent to disrupt crucial operations.
Using web shells for initial access
APT34 uses web shells as a gateway into target networks, leveraging server vulnerabilities.
Their recent campaigns exploit vulnerable web servers to deploy web shells, allowing remote control and providing a persistent foothold within the compromised environment.
Leveraging PowerShell for stealthy movement
APT34 relies on PowerShell to blend into legitimate administrative activity within networks.
Once they gain a foothold, APT34 uses PowerShell to move laterally, taking advantage of its legitimacy as a powerful system tool to avoid detection by traditional security measures.
Exploiting the CVE-2024-30088 vulnerability
APT34 quickly adapts to leverage new vulnerabilities, such as CVE-2024-30088, for privilege escalation.
This vulnerability allows them to escalate their privileges to SYSTEM level, giving them full control over affected systems. Despite a patch being available since June 2024, many organisations remain vulnerable.
StealHook backdoor and evolving credential theft tactics
APT34’s credential theft techniques have evolved from DLL-based password capture to sophisticated backdoors.
They have moved from using a password-filter DLL for capturing plaintext passwords to deploying the StealHook backdoor, which targets Microsoft Exchange servers to harvest credentials and exfiltrate data stealthily.
Social engineering through LinkedIn
APT34 continues to use social engineering, often targeting professionals via LinkedIn.
They create fake profiles to impersonate recruiters or professionals, using convincing tactics to trick targets into clicking malicious links or opening compromised documents.
Keep pace with the latest security threats
Sign up to receive the latest threat intelligence articles and reports from our SecOps team.
How security teams can defend against APT34
To effectively combat APT34, security teams need to understand and address their evolving tactics with a proactive and layered defence strategy.
In summary
APT34 remains a highly active and adaptable adversary, evolving their tactics to focus more on critical infrastructure and key sectors across the Gulf, Europe, and the United States.
Understanding their attack techniques, from exploiting vulnerabilities like CVE-2024-30088 to using social engineering through LinkedIn, can help security teams develop effective defences.
By prioritising patch management, monitoring PowerShell and email systems, and training employees on social engineering, organisations can stay ahead of APT34’s tactics.
Remember, resilience in cybersecurity isn’t just about having the right tools. It’s about having the right strategy to detect, defend, and respond to ever-evolving threats.
Key takeaways
APT34 is targeting critical infrastructure, primarily focused on the Gulf region but also reaching into Europe and the USA.
APT34’s sophisticated campaigns use web shells for initial access and leverage PowerShell for stealthy movement, making detection challenging.
APT34 exploits vulnerabilities like CVE-2024-30088 for privilege escalation, making prompt patching critical.
Credential theft methods now include the StealHook backdoor, targeting Exchange servers.
Social engineering via LinkedIn remains a key tactic, highlighting the need for user training.
Vulnerability assessments and pen testing are vital to finding entry points before attacks.
A solid incident response plan helps contain APT34 attacks and speed up recovery.
Want to know more?
If you’d like to understand more about how Kocho SecOps provides continual monitoring, proactive threat hunting, and rapid response to emerging incidents, reach out to our team for a detailed consultation.
And please join our mailing list for the latest cyber security news, technology updates, and regular tips to keep protected against advanced threats.
Let's talk!
30-day free trials and flexible contracts
Book a free Discovery Call and learn more about our AI-powered security operations service, XDR Rapid Protect.
Get more information on:
- 30-day free trials for new partnerships
- Flexible, 30-day contracts (no lock-in)
- Microsoft-funded proof of concepts
Next steps
Like this? Then don’t forget to share it with your followers.
Great emails start here
Sign up for free resources and exclusive invites
Subscribe to the Kocho mailing list if you want:
- Demos of the latest Microsoft tech
- Invites to exclusive events and webinars
- Resources that make your job easier
Got a question? Need more information?
Our expert team is here to help.