{ "id": "d55eee39-d4eb-472f-b529-eeb341b85e1b", "created_at": "2026-04-29T08:22:23.283028Z", "updated_at": "2026-04-29T10:42:05.257738Z", "deleted_at": null, "sha1_hash": "b21e9bd0ef8a506aa95cf7d6f3e5bfd6d44beb12", "title": "Inside OilRig -- Tracking Iran's Busiest Hacker Crew On Its Global Rampage", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 154081, "plain_text": "Inside OilRig -- Tracking Iran's Busiest Hacker Crew On Its\r\nGlobal Rampage\r\nBy Thomas Brewster\r\nPublished: 2017-02-15 · Archived: 2026-04-29 07:00:45 UTC\r\nIran has become one of the more prolific nations when it comes to cyberespionage, according to U.S. experts. (AP\r\nPhoto/Vahid Salemi)\r\nAI Squared, a small, mission-driven tech firm based in a verdant corner of Vermont, builds software that alters\r\nwebsites to help those with visual impairment use the internet. It never expected to become an innocent victim in\r\nan international cyberespionage campaign allegedly perpetrated by Iran.\r\nBut AI Squared is now living proof that any American business, be it Microsoft-sized or a minnow, is a potential\r\nvictim of Iran's increasingly sophisticated and prolific digital army. Indeed, AI Squared has become the only\r\nknown private American business to have been targeted by a young crew from Iran known as OilRig. Since its\r\nbirth in late 2015, OilRig has become one of the most active hacking organizations to be sponsored by the Iranian\r\ngovernment, according to cybersecurity experts and to U.S. and Israeli intelligence firms. FORBES is revealing a\r\nhandful of its targets for the first time on Wednesday, showing its rapid infiltration of systems across the globe in\r\nlittle over a year.\r\nWhile most Iranian groups have typically targeted a niche set of domestic and foreign targets, in particular\r\ngovernment agencies and dissidents, OilRig is far more focused on private industry outside of Iran. \"What's\r\ninteresting about OilRig is how much it's just foreign focused and is interested in the private sector as much as it's\r\nhttps://www.forbes.com/sites/thomasbrewster/2017/02/15/oilrig-iran-hackers-cyberespionage-us-turkey-saudi-arabia/#56749aa2468a\r\nPage 1 of 4\n\ninterested in the diplomatic establishment,\" said Collin Anderson, a Washington D.C.-based researcher who is\r\ndrawing up a report for Carnegie Mellon on Iran's overall cyber power. And though it's unclear just what data\r\nOilRig has siphoned off target systems, the unit is representative of a shift in Iran's cyber strategy, from\r\ndestructive attacks, such as the infamous hit on the Las Vegas Sands Casino in 2014, to stealthy monitoring of\r\ntargets.\r\nAn American platform for attack\r\nAI Squared's problems started in the second week of January, when the company received a startling warning\r\nfrom security giant Symantec: Certificates for its technology that are designed to guarantee its authenticity had\r\nbeen compromised. What Symantec didn’t say, and what AI Squared is now investigating after FORBES’\r\ndisclosed the Iranian link to the company, was that OilRig was believed to have been responsible.\r\nThe crew stole AI Squared certificates and used them to disguise their own malware. The goal was to make their\r\nsurveillance tools appear legitimate to security systems of their many targets across the Middle East, Europe and\r\nthe U.S., as noted in a report from Israeli security provider ClearSky in early January. The OilRig hackers pushed\r\nthose espionage tools over two fake Oxford University pages in November 2016, one claiming to offer jobs at the\r\ninstitution, the other a conference sign-up website, ClearSky said. Both encouraged visitors to download\r\ndocuments, one to complete registration for the fake event, the other for an Oxford University CV creator. Once\r\nclicked, the crew's malware, named Helminth, would run, allowing the OilRig crew to control targets’ PCs and\r\nsteal data.\r\nA fake Oxford University jobs site created by OilRig. Malware signed by an American firm's certificates was\r\ndelivered from the domain.\r\nAI Squared, owned by Florida-based VFO Group since a June 2016 acquisition, only received vague details on the\r\ncompromise from Symantec and is only now launching an investigation. \"Could someone else have hacked into\r\nour systems? We’re pretty secure here, but they hacked the White House, they can hack anywhere they want,\" said\r\nScott Moore, marketing VP at VFO Group, which claims to be \"the world's leading assistive technology provider\r\nfor the visually impaired.\" The company is yet to find any conclusive findings.\r\nGunning for government officials\r\nMany other organizations have become victims of OilRig's crew in recent years. Intelligence firms believe OilRig\r\nhas taken control of multiple email accounts of public and private organizations. With that access, they’ve\r\nexpanded their phishing campaigns in the U.S., Saudi Arabia, Turkey, and beyond.\r\nOne OilRig phishing email viewed by FORBES, dated July 2016, was addressed to three officials at Turkey’s\r\nforeign ministry. They included an adviser to the Permanent Mission of Turkey to the United Nations, based in\r\nNew York, a staffer at the Turkish embassy staff in Riga, Latvia, and another official based in Turkey. It was sent\r\nfrom an official Turkish Airlines check-in address, indicating the hackers had either compromised the airline’s\r\nhttps://www.forbes.com/sites/thomasbrewster/2017/02/15/oilrig-iran-hackers-cyberespionage-us-turkey-saudi-arabia/#56749aa2468a\r\nPage 2 of 4\n\nemail or spoofed the account. The message encouraged the recipient to provide login details via an attached Excel\r\nfile. Once opened, the group’s Helminth malware would run.\r\nThe Turkish adviser in New York said he had never seen the phishing email and so couldn’t have clicked on the\r\nlink. At the time of publication, the other targets had not responded to multiple requests for comment. Turkish\r\nAirlines also had not returned requests. Despite the phishing email itself showing who OilRig was trying to\r\nexpose, it’s not known if either organization was successfully hacked.\r\nBut similar malicious documents were sent to multiple other government organizations across the world,\r\naccording to Palo Alto Networks, which first published the phishing email without naming the parties involved.\r\nPrivate industry attacks\r\nOilRig has gone after multiple private companies too. Another phish was attempted in May 2016 by the hackers\r\nthat, according to the metadata in the email headers, was sent from servers within Saudi Arabian government\r\ncontractor and IT security supplier Al-Elm. That could indicate a breach at Al-Elm, according to the security\r\nresearcher who showed FORBES the email.\r\nThe message was injected into an ongoing email thread between Al-Elm and Samba, part of the Samba Financial\r\nGroup, the kingdom's third largest lender that reported $290 million profit last quarter. The message contained a\r\nversion of OilRig’s Helminth surveillance kit, which would launch as soon as a recipient opened an attached\r\ndocument, in this case an Excel file called “notes.xls.” Neither Al-Elm nor Samba had responded to requests for\r\ncomment.\r\nAccording to a report released Wednesday by cyber intelligence firm SecureWorks, which has dubbed the OilRig\r\ncrew Cobalt Gypsy, the group was active this January, sending out messages loaded with malware from legitimate\r\nemail addresses belonging to one of Saudi Arabia's biggest IT suppliers, the National Technology Group, and an\r\nEgyptian IT services firm, ITWorx. From those email accounts, an unnamed Middle East entity was targeted with\r\nmessages promising links to job offers. Hidden in the attachments was PupyRAT, an open source remote access\r\ntrojan (RAT) that works across Android, Linux and Windows platforms.\r\nOne of OilRig's favorite methods of infection is sending out job ads. In this case, Egypt's ITWorx was used as a\r\nlure.\r\nNeither the National Technology Group nor ITWorx had responded to requests for comment. Just as in the case of\r\nAl-Elm, analysis of the headers of the phishing emails indicated they originated from within the sender’s\r\norganization, and were not spoofed, SecureWorks said. That indicated \"the threat actor previously compromised\r\nthose organizations,\" according to SecureWorks intelligence analyst Allison Wikoff.\r\nThe SecureWorks Counter Threat Unit has repeatedly informed its customers across government and private\r\nsector with “high confidence” that OilRig “is associated with Iranian government-directed cyber operations.”\r\nhttps://www.forbes.com/sites/thomasbrewster/2017/02/15/oilrig-iran-hackers-cyberespionage-us-turkey-saudi-arabia/#56749aa2468a\r\nPage 3 of 4\n\nCrowdStrike, which dubs the group Twisted Kitten, has connected it with Iran too. And Israeli firm ClearSky has\r\nalso traced the crew back to the Middle East nation.\r\n\"They're very active, possibly the most active group [in Iran],\" said Rafe Pilling, security researcher at\r\nSecureWorks. \"They are capable and have demonstrated that capability to leverage their phishing ops.\"\r\nThe Iranian government hadn't responded to a request for comment on the OilRig group at the time of publication.\r\nIn the past, Iran has denied involvement in cyberespionage and digital attacks on foreign systems.\r\nIran's freewheeling cyber spies\r\nOutside of OilRig, other reports of Iranian activity have caused alarm across the security community in the last\r\nyear, for both their sophistication and their novelty. One of only a handful of Mac malware samples was attributed\r\nto the Iranian government earlier this month. Just last year, the U.S. indicted seven Iranians for their alleged\r\nparticipation in an attacks on U.S. financial institutions. One was also charged with an attempt to hack the\r\nBowman Dam in New York. The accused reside in Iran and are not expected to be extradited to stand trial. Iran\r\ndenied involvement in the attacks.\r\nAnderson, who uncovered the Mac malware, said Iran had created a hodgepodge of hackers, some of whom were\r\ncapable of causing severe harm. “It's chaotic, five or six-man shops that produce mediocre malware,” said\r\nAnderson, who tracks a substantial amount of Iran cyber activity with fellow researcher Claudio Guarnieri.\r\n“Sometimes they do some catastrophic damage, most of the time not so much.”\r\nU.S. cyber experts are now looking at how OilRig and its sister crews will respond to the Trump administration's\r\nstance on Iran, which will be looking at how the president's meeting with Israeli prime minister Benjamin\r\nNetanyahu. \"The Iranians are being cautious about provoking the US until they see how the Trump administration\r\nlines up on Iran policy,\" said James Lewis, an intelligence and security specialist at the Center for Strategic and\r\nInternational Studies. \"Let’s see what happens with the Netanyahu visit.\"\r\nSource: https://www.forbes.com/sites/thomasbrewster/2017/02/15/oilrig-iran-hackers-cyberespionage-us-turkey-saudi-arabia/#56749aa2468a\r\nhttps://www.forbes.com/sites/thomasbrewster/2017/02/15/oilrig-iran-hackers-cyberespionage-us-turkey-saudi-arabia/#56749aa2468a\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://www.forbes.com/sites/thomasbrewster/2017/02/15/oilrig-iran-hackers-cyberespionage-us-turkey-saudi-arabia/#56749aa2468a" ], "report_names": [ "#56749aa2468a" ], "threat_actors": [ { "id": "6dbdb9e4-3569-404a-8a25-e8ce65994281", "created_at": "2023-01-06T13:46:38.380071Z", "updated_at": "2026-04-29T10:39:53.051182Z", "deleted_at": null, "main_name": "Sands Casino", "aliases": [], "source_name": "MISPGALAXY:Sands Casino", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "cffb3c01-038f-4527-9cfd-57ad5a035c22", "created_at": "2022-10-25T15:50:23.38055Z", "updated_at": "2026-04-29T10:39:54.627822Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "COBALT GYPSY", "IRN2", "APT34", "Helix Kitten", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "ITG13", "Earth Simnavaz", "Crambus", "TA452" ], "source_name": "MITRE:OilRig", "tools": [ "ISMInjector", "ODAgent", "RDAT", "Systeminfo", "QUADAGENT", "OopsIE", "ngrok", "Tasklist", "certutil", "ZeroCleare", "POWRUNER", "netstat", "Solar", "ipconfig", "LaZagne", "BONDUPDATER", "SideTwist", "OilBooster", "SampleCheck5000", "PsExec", "SEASHARPEE", "Mimikatz", "PowerExchange", "OilCheck", "RGDoor", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "c786e025-c267-40bd-9491-328da70811a5", "created_at": "2025-08-07T02:03:24.736817Z", "updated_at": "2026-04-29T10:39:54.782061Z", "deleted_at": null, "main_name": "COBALT GYPSY", "aliases": [ "APT34 ", "CHRYSENE ", "Crambus ", "EUROPIUM ", "Hazel Sandstorm ", "Helix Kitten ", "ITG13 ", "OilRig ", "Yellow Maero " ], "source_name": "Secureworks:COBALT GYPSY", "tools": [ "Glimpse", "Helminth", "Jason", "MacDownloader", "PoisonFrog", "RGDoor", "ThreeDollars", "TinyZbot", "Toxocara", "Trichuris", "TwoFace" ], "source_id": "Secureworks", "reports": null }, { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-29T10:39:53.050333Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "TG-2889", "Cobalt Gypsy", "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "67709937-2186-4a32-b64c-a5693d40ac77", "created_at": "2023-01-06T13:46:38.495593Z", "updated_at": "2026-04-29T10:39:53.084482Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "Twisted Kitten", "Helix Kitten", "APT 34", "APT34", "IRN2", "ATK40", "TA452", "Cobalt Gypsy", "Crambus", "G0049", "Evasive Serpens", "Hazel Sandstorm", "EUROPIUM", "Earth Simnavaz" ], "source_name": "MISPGALAXY:OilRig", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b6436f7b-6012-4969-aed1-d440e2e8b238", "created_at": "2022-10-25T16:07:23.91517Z", "updated_at": "2026-04-29T10:39:55.397649Z", "deleted_at": null, "main_name": "OilRig", "aliases": [ "APT 34", "ATK 40", "Chrysene", "Cobalt Gypsy", "Crambus", "DEV-0861", "EUROPIUM", "Earth Simnavaz", "Evasive Serpens", "G0049", "Hazel Sandstorm", "Helix Kitten", "IRN2", "ITG13", "Scarred Manticore", "Storm-0861", "TA452", "Twisted Kitten", "UNC1860", "Yellow Maero" ], "source_name": "ETDA:OilRig", "tools": [ "AMATIAS", "Agent Drable", "Agent Injector", "AgentDrable", "Alma Communicator", "BONDUPDATER", "CACTUSPIPE", "Clayslide", "CypherRat", "DNSExfitrator", "DNSpionage", "DROPSHOT", "DistTrack", "DropperBackdoor", "Fox Panel", "GREYSTUFF", "GoogleDrive RAT", "HighShell", "HyperShell", "ISMAgent", "ISMDoor", "ISMInjector", "Jason", "Karkoff", "LIONTAIL", "LOLBAS", "LOLBins", "LONGWATCH", "LaZagne", "Living off the Land", "MailDropper", "Mimikatz", "MrPerfectInstaller", "OILYFACE", "OopsIE", "POWBAT", "POWRUNER", "Plink", "Poison Frog", "PowerExchange", "PsList", "PuTTY Link", "QUADAGENT", "RDAT", "RGDoor", "SEASHARPEE", "Saitama", "Saitama Backdoor", "Shamoon", "SideTwist", "SpyNote", "SpyNote RAT", "StoneDrill", "TONEDEAF", "TONEDEAF 2.0", "ThreeDollars", "TwoFace", "VALUEVAULT", "Webmask", "WinRAR", "ZEROCLEAR", "ZeroCleare", "certutil", "certutil.exe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1777450943, "ts_updated_at": 1777459325, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b21e9bd0ef8a506aa95cf7d6f3e5bfd6d44beb12.pdf", "text": "https://archive.orkl.eu/b21e9bd0ef8a506aa95cf7d6f3e5bfd6d44beb12.txt", "img": "https://archive.orkl.eu/b21e9bd0ef8a506aa95cf7d6f3e5bfd6d44beb12.jpg" } }