The Oracle: APT34

← Home·Gallery·Techniques

Threat Intelligence Tarot

Major Arcana · 12

Iran (Ministry of Intelligence)

G0049

★★★★★

risk 4/5

✦ The Oracle ✦

APT34

OilRig · Helix Kitten · Chrysene · EUROPIUM

Financial sectorGovernmentEnergyTelecom (Middle East)

Active since ~2014 · Regional espionage, Intelligence on adversaries, Government surveillance

It knows the DNS of your kingdom's gatekeepers. It reads the mail of ministers. The Oracle does not predict the future - it reads the present correspondence of everyone who might shape it, and reports accordingly.

Tactics & Techniques

RCN

RDV

INI

EXC

PRS

PRV

EVA

CRD

DSC

LAT

COL

EXF

IMP

T1566.001

Spearphishing Attachment

Initial Access

T1071.001

Web Protocols

Command and Control

T1136.001

Create Local Account

Persistence

T1572

Protocol Tunneling

Command and Control

T1040

Network Sniffing

Credential Access

T1134

Access Token Manipulation

Privilege Escalation

Notable Operations

◆DNSpionage campaign (DNS hijacking, 2018)
◆RDAT malware email C2 via Exchange
◆Middle East government ministry targeting
◆Leaked toolset published by Lab Dookhtegan (2019)

Defenses

▸
DNS monitoring with anomaly detection for hijacking
CIS Control 9 ↗
▸
DNSSEC implementation for authoritative zones
NIST SP 800-81 ↗
▸
Email gateway controls and Exchange security hardening
CIS Control 9 ↗
▸
Multi-factor authentication on all remote access
NIST SP 800-63B ↗

Reversed: Their Weakness

APT34's entire toolset was leaked by a hacktivist persona in 2019, exposing its malware, victims, and operators. The Oracle was read.

Share this adversary profile

← → arrow keys to browse

swipe to browse

← PreviousThe Flame Keeper Next →The Charmed One

Related Adversaries

Data sourced from MITRE ATT&CK. For educational purposes.