Trusted Design

OilRig

G0049 · MITRE Pageへのリンク

脅威アクターの詳細

[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.(Citation: FireEye APT34 Dec 2017)(Citation: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Jan 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo Alto OilRig Oct 2016)(Citation: Unit42 OilRig Playbook 2023)(Citation: Unit 42 QUADAGENT July 2018)

別名・別称

OilRig
COBALT GYPSY
IRN2
APT34
Helix Kitten
Evasive Serpens
Hazel Sandstorm
EUROPIUM
ITG13
Earth Simnavaz
Crambus
TA452

利用した攻撃手法

• T1053.005 - Scheduled Task
• T1047 - Windows Management Instrumentation
• T1113 - Screen Capture
• T1033 - System Owner/User Discovery
• T1056.001 - Keylogging
• T1027.013 - Encrypted/Encoded File
• T1133 - External Remote Services
• T1071.004 - DNS
• T1025 - Data from Removable Media
• T1036.005 - Match Legitimate Resource Name or Location
• T1003.004 - LSA Secrets
• T1587.001 - Malware
• T1087.002 - Domain Account
• T1204.002 - Malicious File
• T1087.001 - Local Account
• T1543.003 - Windows Service
• T1497.001 - System Checks
• T1069.002 - Domain Groups
• T1566.002 - Spearphishing Link
• T1021.004 - SSH
• T1566.001 - Spearphishing Attachment
• T1119 - Automated Collection
• T1115 - Clipboard Data
• T1007 - System Service Discovery
• T1553.002 - Code Signing
• T1120 - Peripheral Device Discovery
• T1082 - System Information Discovery
• T1556.002 - Password Filter DLL
• T1005 - Data from Local System
• T1140 - Deobfuscate/Decode Files or Information
• T1586.002 - Email Accounts
• T1608.001 - Upload Malware
• T1195 - Supply Chain Compromise
• T1555 - Credentials from Password Stores
• T1219 - Remote Access Tools
• T1583.001 - Domains
• T1036 - Masquerading
• T1572 - Protocol Tunneling
• T1562.004 - Disable or Modify System Firewall
• T1112 - Modify Registry
• T1555.003 - Credentials from Web Browsers
• T1505.003 - Web Shell
• T1003.001 - LSASS Memory
• T1003.005 - Cached Domain Credentials
• T1016 - System Network Configuration Discovery
• T1059 - Command and Scripting Interpreter
• T1049 - System Network Connections Discovery
• T1552.001 - Credentials In Files
• T1057 - Process Discovery
• T1059.001 - PowerShell
• T1069.001 - Local Groups
• T1588.002 - Tool
• T1218.001 - Compiled HTML File
• T1110 - Brute Force
• T1027.005 - Indicator Removal from Tools
• T1078 - Valid Accounts
• T1068 - Exploitation for Privilege Escalation
• T1201 - Password Policy Discovery
• T1203 - Exploitation for Client Execution
• T1137.004 - Outlook Home Page
• T1573.002 - Asymmetric Cryptography
• T1012 - Query Registry
• T1078.002 - Domain Accounts
• T1059.003 - Windows Command Shell
• T1555.004 - Windows Credential Manager
• T1070.004 - File Deletion
• T1071.001 - Web Protocols
• T1059.005 - Visual Basic
• T1046 - Network Service Discovery
• T1105 - Ingress Tool Transfer
• T1588.003 - Code Signing Certificates
• T1021.001 - Remote Desktop Protocol
• T1204.001 - Malicious Link
• T1008 - Fallback Channels
• T1566.003 - Spearphishing via Service
• T1048.003 - Exfiltration Over Unencrypted Non-C2 Protocol

関連するCVE (攻撃手法に関連)

• CVE-2014-4114 (T1204.001)
• CVE-2017-0143 (T1566.003)
• CVE-2013-3906 (T1137.004)
• CVE-2013-6282 (T1555.003)
• CVE-2025-55182 (T1204.001)
• CVE-2023-1389 (T1566.003)
• CVE-2025-13928 (T1078)
• CVE-2025-24893 (T1566.003)
• CVE-2025-34026 (T1204.001)
• CVE-2025-55184 (T1204.001)
• CVE-2025-68645 (T1204.001)
• CVE-2016-1898 (T1204.001)
• CVE-2016-1897 (T1204.001)
• CVE-2015-0932 (T1552.001)
• CVE-2014-7247 (T1566.003)
• CVE-2013-5990 (T1566.003)
• CVE-2014-1776 (T1204.001)
• CVE-2016-6532 (T1555.004)
• CVE-2008-1436 (T1555.004)
• CVE-2010-4398 (T1204.001)
• CVE-2015-3043 (T1204.001)
• CVE-2016-1990 (T1137.004)
• CVE-2016-1991 (T1137.004)
• CVE-2015-2852 (T1204.001)
• CVE-2015-2854 (T1204.001)
• CVE-2015-2853 (T1204.001)
• CVE-2016-1287 (T1566.003)
• CVE-2016-1562 (T1137.004)
• CVE-2012-0507 (T1566.003)
• CVE-2013-2465 (T1566.003)
• CVE-2013-7331 (T1078.002)
• CVE-2016-4117 (T1203)
• CVE-2015-1770 (T1204.001)
• CVE-2015-2545 (T1204.001)
• CVE-2017-0199 (T1204.001)
• CVE-2012-0158 (T1204.001)
• CVE-2014-6352 (T1059.005)
• CVE-2015-0016 (T1204.001)
• CVE-2010-3333 (T1204.001)
• CVE-2010-0188 (T1204.001)
• CVE-2010-2884 (T1059.003)
• CVE-2013-0640 (T1059.003)
• CVE-2011-0611 (T1566.003)
• CVE-2015-2546 (T1566.003)
• CVE-2014-4113 (T1204.001)
• CVE-2015-1701 (T1204.001)
• CVE-2017-0263 (T1566.003)
• CVE-2015-0057 (T1204.001)
• CVE-2015-2360 (T1204.001)
• CVE-2014-4148 (T1204.001)
• CVE-2015-0071 (T1204.001)
• CVE-2015-7755 (T1203)
• CVE-2015-8286 (T1562.004)
• CVE-2015-8287 (T1203)
• CVE-2010-1553 (T1566.003)
• CVE-2014-1761 (T1555.004)
• CVE-2017-16929 (T1204.001)
• CVE-2012-1876 (T1204.001)
• CVE-2012-2539 (T1204.001)
• CVE-2013-3660 (T1204.001)
• CVE-2009-3129 (T1566.003)
• CVE-2012-4969 (T1204.001)
• CVE-2010-3081 (T1046)
• CVE-2014-8361 (T1071.001)
• CVE-2010-2883 (T1046)
• CVE-2012-6422 (T1566.003)
• CVE-2015-0310 (T1555.004)
• CVE-2014-6332 (T1204.001)
• CVE-2010-0806 (T1204.001)
• CVE-2015-3785 (T1555.004)
• CVE-2010-0232 (T1204.001)
• CVE-2013-2595 (T1068)
• CVE-2015-5119 (T1204.001)
• CVE-2015-5122 (T1204.001)
• CVE-2012-1856 (T1204.001)
• CVE-2015-3090 (T1566.003)
• CVE-2015-2590 (T1204.001)
• CVE-2015-2424 (T1204.001)
• CVE-2015-0097 (T1204.001)
• CVE-2015-2502 (T1204.001)
• CVE-2014-6271 (T1566.003)
• CVE-2012-1889 (T1608.001)
• CVE-2016-1010 (T1566.003)
• CVE-2016-0984 (T1204.001)
• CVE-2016-0998 (T1566.003)
• CVE-2015-1641 (T1204.001)
• CVE-2015-0313 (T1204.001)
• CVE-2015-0359 (T1204.001)
• CVE-2014-0329 (T1204.001)
• CVE-2015-5130 (T1566.003)
• CVE-2015-5134 (T1566.003)
• CVE-2015-5539 (T1566.003)
• CVE-2015-5557 (T1566.003)
• CVE-2015-5563 (T1566.003)
• CVE-2015-5559 (T1566.003)
• CVE-2015-5540 (T1566.003)
• CVE-2015-5561 (T1566.003)
• CVE-2015-5551 (T1566.003)
• CVE-2015-5564 (T1566.003)
• CVE-2015-5565 (T1566.003)
• CVE-2015-5550 (T1566.003)
• CVE-2015-5566 (T1566.003)
• CVE-2015-5127 (T1566.003)
• CVE-2015-5556 (T1566.003)
• CVE-2015-3628 (T1203)
• CVE-2015-6034 (T1068)
• CVE-2015-6585 (T1552.001)
• CVE-2015-6022 (T1204.001)
• CVE-2016-2343 (T1555.003)
• CVE-2017-0261 (T1204.001)
• CVE-2017-0262 (T1204.001)
• CVE-2016-9494 (T1204.001)
• CVE-2016-9496 (T1204.001)
• CVE-2016-9495 (T1204.001)
• CVE-2015-0311 (T1204.001)
• CVE-2012-3213 (T1204.001)
• CVE-2012-4792 (T1204.001)
• CVE-2014-0322 (T1204.001)
• CVE-2015-0336 (T1566.003)
• CVE-2011-3544 (T1204.001)
• CVE-2014-7911 (T1608.001)
• CVE-2015-3636 (T1068)
• CVE-2015-3105 (T1137.004)
• CVE-2017-17215 (T1204.001)
• CVE-2013-0074 (T1204.001)
• CVE-2013-2551 (T1204.001)
• CVE-2012-4681 (T1204.001)
• CVE-2014-0556 (T1566.003)
• CVE-2012-1723 (T1204.001)
• CVE-2015-1761 (T1204.001)
• CVE-2014-8440 (T1204.001)
• CVE-2011-3402 (T1204.001)
• CVE-2014-6324 (T1204.001)
• CVE-2013-2678 (T1204.001)
• CVE-2015-2426 (T1204.001)
• CVE-2015-4902 (T1566.003)
• CVE-2014-3897 (T1204.001)
• CVE-2015-2387 (T1204.001)
• CVE-2010-2572 (T1204.001)
• CVE-2011-1255 (T1204.001)
• CVE-2017-8570 (T1566.003)
• CVE-2012-0611 (T1204.001)
• CVE-2015-2419 (T1204.001)
• CVE-2016-0189 (T1204.001)
• CVE-2017-0001 (T1566.003)
• CVE-2025-31125 (T1204.001)
• CVE-2025-55183 (T1204.001)
• CVE-2025-66478 (T1566.003)
• CVE-2026-20127 (T1204.001)
• CVE-2015-7261 (T1204.001)
• CVE-2014-3393 (T1566.003)
• CVE-2026-0723 (T1555.004)
• CVE-2015-1427 (T1566.003)
• CVE-2017-12149 (T1204.001)
• CVE-2015-4495 (T1555.004)
• CVE-2013-2094 (T1204.001)
• CVE-2012-0056 (T1068)
• CVE-2010-1297 (T1204.001)
• CVE-2014-4322 (T1068)
• CVE-2015-5897 (T1068)
• CVE-2015-3456 (T1078)
• CVE-2015-8562 (T1204.001)
• CVE-2015-7262 (T1555.004)
• CVE-2012-1258 (T1046)
• CVE-2014-3153 (T1203)
• CVE-2014-2273 (T1555.003)
• CVE-2025-13335 (T1555.004)
• CVE-2025-13927 (T1078)
• CVE-2026-1102 (T1078)
• CVE-2016-2342 (T1046)
• CVE-2014-8439 (T1046)
• CVE-2014-0569 (T1137.004)
• CVE-2015-7645 (T1204.001)
• CVE-2015-5749 (T1555.004)
• CVE-2015-6036 (T1204.001)
• CVE-2025-54313 (T1137.004)
• CVE-2013-0641 (T1059.003)
• CVE-2015-3113 (T1137.004)
• CVE-2013-0634 (T1566.003)
• CVE-2015-7808 (T1203)
• CVE-2016-1019 (T1566.003)
• CVE-2010-0738 (T1566.003)
• CVE-2016-1001 (T1566.003)
• CVE-2014-0497 (T1137.004)
• CVE-2014-0515 (T1137.004)
• CVE-2014-9163 (T1046)
• CVE-2015-5560 (T1137.004)

Actor – Pulse グラフ

---

← 脅威アクター一覧に戻る