OilRig APT group: the evolution of attack techniques over time

OilRig APT group: the evolution of attack techniques over time

Security researcher Marco Ramilli presents a comparative analysis of attacks techniques adopted by the Iran-Linked OilRig APT group.


Today I’d like to share a comparative analysis of OilRig techniques mutation over time. In particular I will refer to great analyses made by Paloalto UNIT 4plus my own ones (HEREHEREHERE, etc..)  and more personal thoughts. I would define this group of references as reports. Those reports have been divided into 4 timing groups in order to simplify the evaluation process. I am perfectly aware that such a division could just be indicative, as a matter of fact, is not a strict division between timing groups, it’s really hard to give a strong and strict attribution (at least in my personal point of view) and very often it’s definitely not “black and white”. order to better evaluate and to offer a nice timeline on the group techniques I will refer to the following time frames: 1. group_a: from 2016 to August 20172. group_b: from August 2017 to January 20183. group_c: from January 2018 to February 20184. group_d: from March 2019 to August 2019The evaluation process would take care of the following Techniques: Delivery, Exploit, Install and Command. In order to better understand those technique definitions I would add official MITRE reference codes.


OilRig Description:According to MITRE, OilRig is a threat group with suspected Iranian origins that has targeted Middle Eastern and international victims since ..