Helix Kitten Explained

Helix Kitten (also known as APT34 by FireEye, OILRIG, Crambus, Cobalt Gypsy, Hazel Sandstorm,^[1] or EUROPIUM)^[2] is a hacker group identified by CrowdStrike as Iranian.^{[3] [4]}

History

The group has reportedly been active since at least 2014.^[3] It has targeted many of the same organizations as Advanced Persistent Threat 33, according to John Hultquist.^[3]

In April 2019, APT34's cyber-espionage tools' source code was leaked through Telegram.^{[5] [6]}

Targets

The group has reportedly targeted organizations in the financial, energy, telecommunications, and chemical industries, as well as critical infrastructure systems.^[3]

Techniques

APT34 reportedly uses Microsoft Excel macros, PowerShell-based exploits and social engineering to gain access to its targets.^[3]

Notes and References

1. Web site: How Microsoft names threat actors . Microsoft . 21 January 2024.
2. Web site: Iranian State-Sponsored OilRig Group Deploys 3 New Malware Downloaders .
3. . APT 34 Is an Iran-Linked Hacking Group That Probes Critical Infrastructure . https://web.archive.org/web/20171210144943/https://www.wired.com/story/apt-34-iranian-hackers-critical-infrastructure-companies/ . December 10, 2017 . Lily Hay . Newman . December 7, 2017.
4. News: New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit . . December 7, 2017 . December 10, 2017 . https://web.archive.org/web/20171210145601/https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html . Manish . Sardiwal . Yogesh . Londhe . Nalani . Fraser . Nicholas . Fraser . Jaqueline . O'Leary . Vincent . Cannon.
5. Web site: Source code of Iranian cyber-espionage tools leaked on Telegram; APT34 hacking tools and victim data leaked on a secretive Telegram channel since last month. . Catalin Cimpanu . April 17, 2019 . ZDNet. April 24, 2019.
6. Web site: How companies – and the hackers themselves – could respond to the OilRig leak . 18 April 2019 .