{
	"id": "2dedf33e-b3de-4ed4-86da-9aec39727134",
	"created_at": "2026-04-06T00:09:52.797675Z",
	"updated_at": "2026-04-10T03:37:36.708439Z",
	"deleted_at": null,
	"sha1_hash": "774a17a38e639e58332b0a906a3b41ac999a2009",
	"title": "APT 34 Is an Iran-Linked Hacking Group That Probes Critical Infrastructure",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1966721,
	"plain_text": "APT 34 Is an Iran-Linked Hacking Group That Probes Critical\r\nInfrastructure\r\nBy Lily Hay Newman\r\nPublished: 2017-12-07 · Archived: 2026-04-05 14:44:07 UTC\r\nIranian Hackers Have Been Infiltrating Critical Infrastructure Companies\r\nA new Iran-linked hacking group called APT 34 has been spotted lurking in the networks of financial, energy,\r\ntelecom, and chemical companies.\r\nKamran Jebreili/AP\r\nThe international intelligence agency always has a keen interest in Iran's hacking activity. And new research\r\npublished by the security firm FireEye on Thursday indicates the country's efforts show no signs of slowing. In\r\nfact, a new network reconnaissance group— FireEye calls them Advanced Persistent Threat 34—has spent the last\r\nfew years burrowing deep into critical infrastructure companies.\r\nYou’ve read your last free article.\r\nhttps://www.wired.com/story/apt-34-iranian-hackers-critical-infrastructure-companies/\r\nPage 1 of 3\n\nThe intersection of technology, power, and culture. Start your free trial and get access to 5 all-new premium\r\nnewsletters—cancel anytime.\r\nSTART FREE TRIAL\r\nAlready a subscriber? Sign In\r\nThe intersection of technology, power, and culture. Start your free trial and get access to 5 all-new premium\r\nnewsletters START FREE TRIAL\r\nhttps://www.wired.com/story/apt-34-iranian-hackers-critical-infrastructure-companies/\r\nPage 2 of 3\n\nLily Hay Newman is a senior writer at WIRED focused on information security, digital privacy, and hacking. She\r\npreviously worked as a technology reporter at Slate, and was the staff writer for Future Tense, a publication and\r\npartnership between Slate, the New America Foundation, and Arizona State University. Her work ... Read More\r\nDon't Just Keep Up. Get Ahead\r\nSign up for the Daily newsletter to get our biggest stories, handpicked for you each day.\r\nSource: https://www.wired.com/story/apt-34-iranian-hackers-critical-infrastructure-companies/\r\nhttps://www.wired.com/story/apt-34-iranian-hackers-critical-infrastructure-companies/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.wired.com/story/apt-34-iranian-hackers-critical-infrastructure-companies/"
	],
	"report_names": [
		"apt-34-iranian-hackers-critical-infrastructure-companies"
	],
	"threat_actors": [
		{
			"id": "67709937-2186-4a32-b64c-a5693d40ac77",
			"created_at": "2023-01-06T13:46:38.495593Z",
			"updated_at": "2026-04-10T02:00:02.999196Z",
			"deleted_at": null,
			"main_name": "OilRig",
			"aliases": [
				"Crambus",
				"Helix Kitten",
				"APT34",
				"IRN2",
				"ATK40",
				"G0049",
				"EUROPIUM",
				"TA452",
				"Twisted Kitten",
				"Cobalt Gypsy",
				"APT 34",
				"Evasive Serpens",
				"Hazel Sandstorm",
				"Earth Simnavaz"
			],
			"source_name": "MISPGALAXY:OilRig",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "b6436f7b-6012-4969-aed1-d440e2e8b238",
			"created_at": "2022-10-25T16:07:23.91517Z",
			"updated_at": "2026-04-10T02:00:04.788408Z",
			"deleted_at": null,
			"main_name": "OilRig",
			"aliases": [
				"APT 34",
				"ATK 40",
				"Chrysene",
				"Cobalt Gypsy",
				"Crambus",
				"DEV-0861",
				"EUROPIUM",
				"Earth Simnavaz",
				"Evasive Serpens",
				"G0049",
				"Hazel Sandstorm",
				"Helix Kitten",
				"IRN2",
				"ITG13",
				"Scarred Manticore",
				"Storm-0861",
				"TA452",
				"Twisted Kitten",
				"UNC1860",
				"Yellow Maero"
			],
			"source_name": "ETDA:OilRig",
			"tools": [
				"AMATIAS",
				"Agent Drable",
				"Agent Injector",
				"AgentDrable",
				"Alma Communicator",
				"BONDUPDATER",
				"CACTUSPIPE",
				"Clayslide",
				"CypherRat",
				"DNSExfitrator",
				"DNSpionage",
				"DROPSHOT",
				"DistTrack",
				"DropperBackdoor",
				"Fox Panel",
				"GREYSTUFF",
				"GoogleDrive RAT",
				"HighShell",
				"HyperShell",
				"ISMAgent",
				"ISMDoor",
				"ISMInjector",
				"Jason",
				"Karkoff",
				"LIONTAIL",
				"LOLBAS",
				"LOLBins",
				"LONGWATCH",
				"LaZagne",
				"Living off the Land",
				"MailDropper",
				"Mimikatz",
				"MrPerfectInstaller",
				"OILYFACE",
				"OopsIE",
				"POWBAT",
				"POWRUNER",
				"Plink",
				"Poison Frog",
				"PowerExchange",
				"PsList",
				"PuTTY Link",
				"QUADAGENT",
				"RDAT",
				"RGDoor",
				"SEASHARPEE",
				"Saitama",
				"Saitama Backdoor",
				"Shamoon",
				"SideTwist",
				"SpyNote",
				"SpyNote RAT",
				"StoneDrill",
				"TONEDEAF",
				"TONEDEAF 2.0",
				"ThreeDollars",
				"TwoFace",
				"VALUEVAULT",
				"Webmask",
				"WinRAR",
				"ZEROCLEAR",
				"ZeroCleare",
				"certutil",
				"certutil.exe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434192,
	"ts_updated_at": 1775792256,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/774a17a38e639e58332b0a906a3b41ac999a2009.pdf",
		"text": "https://archive.orkl.eu/774a17a38e639e58332b0a906a3b41ac999a2009.txt",
		"img": "https://archive.orkl.eu/774a17a38e639e58332b0a906a3b41ac999a2009.jpg"
	}
}