Cyber Resilience

Threat actor · all actors

OilRigG0049 state

🇮🇷 IR · MOIS

aka OilRig, COBALT GYPSY, IRN2, APT34, Helix Kitten, Evasive Serpens, Hazel Sandstorm, EUROPIUM, ITG13, Earth Simnavaz, Crambus, TA452, Twisted Kitten, APT 34, ATK40, G0049

Last updated: 2026-07-03

1attributed CVEs
103ATT&CK techniques
1.2IDF score (tooling uniqueness)
0exclusive CVEs
2026years active

About this actor

[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.(Citation: FireEye APT34 Dec 2017)(Citation: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Jan 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo Alto OilRig Oct 2016)(Citation: Unit42 OilRig Playbook 2023)(Citation: Unit 42 QUADAGENT July 2018)

Source: MITRE ATT&CK

Activity timeline

Profile

CVERiskCVSSEPSSPublishedProducts
CVE-2026-20929 5.57.50.01142026-01-13see CVE

Mitigating controls (NIST 800-53)

ControlTechniques coveredCoverage
SI-465 / 10363%
CM-661 / 10359%
CM-256 / 10354%
CM-745 / 10344%
SI-344 / 10343%
AC-643 / 10342%
CA-741 / 10340%
AC-340 / 10339%
AC-238 / 10337%
AC-429 / 10328%
SC-727 / 10326%
SI-727 / 10326%
AC-525 / 10324%
IA-224 / 10323%
CM-523 / 10322%

Co-occurring actors

Similar actors

Similar TTPs

Overlapping CVEs

Same nation-state