Group: APT34

From enterprise
Jump to: navigation, search
ID G0057
Aliases APT34

APT34 is an Iranian cyber espionage group that has been active since at least 2014. The group has targeted a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests. APT34 loosely aligns with public reporting related to OilRig, but may not wholly align due to companies tracking threat groups in different ways.1

Alias Descriptions

  • APT34 - 1

Techniques Used

  • Scripting - APT34 has used .bat and .vbs scripts for execution.1
  • PowerShell - APT34 has used PowerShell scripts for execution.1
  • File Deletion - APT34 has deleted initial drop files from the staging directory.1
  • Web Shell - APT34 has frequently used Web shells, often to maintain access to a victim network.2
  • Credential Dumping - APT34 has dumped credentials from victims in several ways, including by using open source tools Mimikatz and Lazagne, or by harvesting credentials when users log into Outlook Web Access.2
  • Brute Force - APT34 has used brute force techniques to obtain credentials.2
  • Network Service Scanning - APT34 has used the publicly available tool SoftPerfect Network Scanner as well as a custom tool called GOLDIRONY to conduct network scanning.2
  • Screen Capture - APT34 has a tool called CANDYKING to capture a screenshot of user's desktop.2
  • Remote Desktop Protocol - APT34 uses Remote Desktop Protocol for lateral movement. The group has also used tunneling tools to tunnel RDP into the environment.2
  • Valid Accounts - APT34 has used valid administrator credentials to assist in lateral movement.2
  • Password Policy Discovery - APT34 has used net.exe in a script with net accounts /domain to find the password policy of a domain.3