Threat actor · all actors
OilRigG0049 state
🇮🇷 IR · MOIS
aka OilRig, COBALT GYPSY, IRN2, APT34, Helix Kitten, Evasive Serpens, Hazel Sandstorm, EUROPIUM, ITG13, Earth Simnavaz, Crambus, TA452, Twisted Kitten, APT 34, ATK40, G0049
Last updated: 2026-07-03
About this actor
[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.(Citation: FireEye APT34 Dec 2017)(Citation: Palo Alto OilRig April 2017)(Citation: ClearSky OilRig Jan 2017)(Citation: Palo Alto OilRig May 2016)(Citation: Palo Alto OilRig Oct 2016)(Citation: Unit42 OilRig Playbook 2023)(Citation: Unit 42 QUADAGENT July 2018)
Source: MITRE ATT&CK
Activity timeline
- 2026 — 1 CVE published
Profile
| CVE | Risk | CVSS | EPSS | Published | Products |
|---|---|---|---|---|---|
CVE-2026-20929 | 5.5 | 7.5 | 0.0114 | 2026-01-13 | see CVE |
T1003T1003.001T1003.004T1003.005T1005T1007T1008T1012T1016T1021T1021.001T1021.004T1025T1027T1027.005T1027.013T1033T1036T1036.005T1046T1047T1048T1048.003T1049T1053T1053.005T1056T1056.001T1057T1059T1059.001T1059.003T1059.005T1068T1069T1069.001T1069.002T1070T1070.004T1071T1071.001T1071.004T1078T1078.002T1082T1087T1087.001T1087.002T1105T1110T1112T1113T1115T1119T1120T1133T1137T1137.004T1140T1195T1201T1203T1204T1204.001T1204.002T1218T1218.001T1219T1497T1497.001T1505T1505.003T1543T1543.003T1552T1552.001T1553T1553.002T1555T1555.003T1555.004T1556T1556.002T1566T1566.001T1566.002T1566.003T1572T1573T1573.002T1583T1583.001T1586T1586.002T1587T1587.001T1588T1588.002T1588.003T1608T1608.001T1686T1686.003
Mitigating controls (NIST 800-53)
| Control | Techniques covered | Coverage |
|---|---|---|
SI-4 | 65 / 103 | 63% |
CM-6 | 61 / 103 | 59% |
CM-2 | 56 / 103 | 54% |
CM-7 | 45 / 103 | 44% |
SI-3 | 44 / 103 | 43% |
AC-6 | 43 / 103 | 42% |
CA-7 | 41 / 103 | 40% |
AC-3 | 40 / 103 | 39% |
AC-2 | 38 / 103 | 37% |
AC-4 | 29 / 103 | 28% |
SC-7 | 27 / 103 | 26% |
SI-7 | 27 / 103 | 26% |
AC-5 | 25 / 103 | 24% |
IA-2 | 24 / 103 | 23% |
CM-5 | 23 / 103 | 22% |
Co-occurring actors
- Mustang Panda 1 shared CVEs
- SolarWinds Compromise 1 shared CVEs
- APT38 1 shared CVEs
- Tonto Team 1 shared CVEs
- Ember Bear 1 shared CVEs
- GOLD SOUTHFIELD 1 shared CVEs
- Aquatic Panda 1 shared CVEs
- APT28 1 shared CVEs
- Sandworm Team 1 shared CVEs
- Ajax Security Team 1 shared CVEs
Similar actors
Similar TTPs
- Operation Wocao 0.38
- Threat Group-3390 0.37
- FIN7 0.36
- APT32 0.35
- Mustang Panda 0.35
Overlapping CVEs
- C0027 1.00
- APT12 1.00
- APT28 1.00
- FIN7 1.00
- Tropic Trooper 1.00
Active in same years
- Operation Dream Job 1.00
- SolarWinds Compromise 1.00
- C0027 1.00
- SharePoint ToolShell Exploitation 1.00
- Ke3chang 1.00
Same nation-state
- HomeLand Justice 1.00
- Outer Space 1.00
- Juicy Mix 1.00
- Cleaver 1.00
- CopyKittens 1.00
Same category
- Night Dragon 1.00
- FunnyDream 1.00
- C0011 1.00
- Operation Wocao 1.00
- Operation Dream Job 1.00