APT34 OilRig Hits US Critical Infrastructure After Iran Nuclear Strike

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
APT34 (OilRig) compromised water treatment facilities, energy control systems, and government networks across the United States within 72 hours of the March 2, 2026 US-Israeli military strike on Iranian nuclear facilities: a retaliatory operational surge confirmed by CISA advisory AA26-097A and threat intelligence from SentinelOne, SOCRadar, and Trellix.
APT34 OilRig is an Iranian state-sponsored advanced persistent threat group attributed to Iran's Islamic Revolutionary Guard Corps (IRGC). Active since at least 2014, APT34 targets governments, critical infrastructure operators, telecommunications providers, and financial institutions that align with Iranian geopolitical adversaries. Following Operation Epic Fury: the joint US-Israeli military strike on Iranian nuclear enrichment facilities on March 2, 2026: APT34 dramatically increased operational tempo across all documented victim sectors within 72 hours, matching acceleration patterns observed after every previous US-Iran military escalation.
The group deploys custom malware families including Veaty and Spearal backdoors that communicate via DNS tunneling and compromised Exchange mailboxes, routing command traffic through authorized channels that bypass standard perimeter monitoring. This technical approach allows APT34 operators to maintain persistent access inside target networks for months before any visible action, consistent with state-sponsored intelligence collection objectives.
APT34 OilRig is not a theoretical threat. CISA advisory AA26-097A, issued jointly by the FBI, NSA, EPA, Department of Energy, and US Cyber Command on April 7, 2026, confirms Iranian-affiliated APT actors are actively exploiting programmable logic controllers (PLCs) across US water and wastewater systems, energy facilities, and government networks right now. Energy and utilities organizations appear in 66% of observed APT campaigns tracked over the past three months. If your organization operates industrial control systems, government infrastructure, or telecommunications networks, APT34's current retaliatory surge makes you an active target this week.
Who Is APT34 OilRig? A Complete Threat Actor Profile
APT34 OilRig is a nation-state cyber espionage and sabotage group operated by Iran's Islamic Revolutionary Guard Corps (IRGC), documented by MITRE ATT&CK under group identifier G0049. The group carries multiple aliases assigned by different threat intelligence firms: OilRig (Palo Alto Unit 42), Helix Kitten (CrowdStrike), Hazel Sandstorm (Microsoft), COBALT GYPSY (SecureWorks), EUROPIUM (IBM X-Force), Crambus, TA452, Earth Simnavaz, and ITG13. This proliferation of names reflects independent discovery by separate research teams tracking the same operational infrastructure.
APT34 has conducted documented cyber operations since at least 2014. Mandiant attributed the group to Iran in 2017 based on operational infrastructure details that included Iranian-registered IP address space, timestamps correlating to Iranian working hours, and victimology consistent with IRGC intelligence collection priorities. The group's targets align directly with organizations of strategic interest to the Iranian government: US defense contractors, NATO member government agencies, Saudi Arabian energy companies, Israeli technology firms, and Gulf state telecommunications providers.
APT34's mandate spans both long-term espionage and disruptive attacks on critical infrastructure. The group collects strategic intelligence from government and defense networks while simultaneously staging destructive capability that Iranian leadership can activate during military escalation. APT34 executes both missions concurrently: maintaining persistent access for intelligence collection while pre-positioning for infrastructure disruption.
APT34 distinguishes itself from financially motivated threat actors through resource level and operational patience. Campaigns documented by researchers show dwell times of 9 to 18 months inside victim networks before any visible action, consistent with state-sponsored collection objectives. The group demonstrates deep familiarity with enterprise architectures and operational security discipline that indicates professional, full-time operators backed by state resources. This patience and sophistication make APT34 significantly harder to detect and evict than criminal ransomware groups.
How Does APT34 Attack? OilRig TTPs Mapped to MITRE ATT&CK
APT34 OilRig follows a consistent intrusion methodology across all documented campaigns, with specific TTPs appearing repeatedly and mapped to the MITRE ATT&CK framework under G0049.
Initial access relies on two primary vectors applied in parallel. Spearphishing (T1566.001) is the group's most consistent entry point: targeted emails carrying malicious macro-enabled Office documents or HTML smuggling payloads, crafted to impersonate legitimate professional communications. A 2019 campaign documented by Mandiant used fake LinkedIn job opportunities from a fictitious Cambridge University researcher profile to deliver the Tricklist backdoor: a social engineering sophistication level that has only improved since. When perimeter exposure exists, APT34 simultaneously exploits public-facing applications (T1190), targeting unpatched VPN appliances, web servers, and remote access gateways.
Execution uses scripting interpreters almost exclusively. PowerShell (T1059.001) and Visual Basic (T1059.005) handle payload staging and lateral movement commands. APT34 operators avoid dropping compiled executables where PowerShell achieves the same result, reducing forensic artifacts and blending with legitimate administrative activity. This living-off-the-land approach renders signature-based endpoint detection largely ineffective against APT34 campaigns.
Command and control represents the group's most technically distinctive capability. DNS tunneling (T1071.004) encodes C2 communications inside DNS query subdomain records, bypassing firewall rules that permit outbound DNS while blocking direct C2 connections. APT34 also abuses legitimate cloud services (T1102): Microsoft OneDrive, Exchange mail flows, and SaaS APIs: as covert channels that generate no alerts in organizations that unconditionally trust these platforms.
Persistence relies on web shells (T1505.003) on compromised internet-facing servers and valid account abuse (T1078) using harvested credentials. APT34 maintains multiple parallel persistence mechanisms inside each victim network, ensuring a single remediation action cannot fully remove the group's access.
“APT34 demonstrates a particular sophistication in C2 architecture, notably DNS tunneling implemented across multiple malware families, effectively hiding attacker communications in plain-DNS traffic that most organizations allow unconditionally.”
Palo Alto Networks Unit 42, OilRig Research
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
APT34's 2026 Campaign: US Critical Infrastructure After Operation Epic Fury
Operation Epic Fury: the March 2, 2026 US-Israeli military strike on Iranian nuclear enrichment facilities at Natanz and Fordow: triggered an immediate and documented expansion of APT34 operations. Security operations centers across the US observed surges in APT34-attributed reconnaissance, credential harvesting, and spearphishing waves within 72 hours of the strike, matching acceleration patterns documented after the January 2020 Soleimani strike and every subsequent US-Iran military escalation.
CISA advisory AA26-097A, issued jointly by the FBI, NSA, EPA, Department of Energy, and US Cyber Command on April 7, 2026, confirmed the specific operational shift: Iranian-affiliated APT actors are exploiting internet-connected Rockwell Automation and Allen-Bradley programmable logic controllers across US critical infrastructure. The advisory describes malicious manipulation of HMI and SCADA display data at water and wastewater facilities, energy generation sites, and government operations centers: not just espionage-grade access collection, but active functional disruption of physical systems.
The targeting scope reflects deliberate selection for maximum coercive impact on the US public. Water treatment facility disruption creates direct public health risk. Energy infrastructure compromise cascades into economic disruption. Government network intrusion combines intelligence collection with sabotage positioning during active military conflict.
Energy and utilities organizations face the sharpest current exposure: CYFIRMA data from June 2026 shows this sector appeared in 66% of all observed APT campaigns over the prior 90 days, with APT34 among the principal attributed actors alongside Lazarus Group and Sandworm. The pattern of Iranian APT groups targeting US water and energy PLCs did not begin with Operation Epic Fury: see our previous coverage of Iran-linked CyberAv3ngers targeting US water and energy PLCs before the strike: but the March 2026 escalation has dramatically expanded the scope and tempo of confirmed targeting.
The OilRig Malware Arsenal: Veaty, Spearal, STEALHOOK, and QUADAGENT
APT34 maintains one of the most actively developed malware toolsets among Iranian state-sponsored groups. The group continually introduces new implant families while retiring compromised tools, demonstrating sustained development resources consistent with full-time professional operators backed by state funding.
Veaty is a backdoor first documented in 2024 and actively deployed in 2026 campaigns. It establishes C2 by hijacking email protocols: specifically by reading and writing emails inside a compromised Outlook or Exchange mailbox that APT34 controls. Commands arrive as emails in the target mailbox; results are sent as replies. This approach routes all command traffic through legitimate email infrastructure, bypassing network controls designed to block traditional C2 connections. Veaty shares code lineage with earlier APT34 implants including PowerExchange and Karkoff.
Spearal is a companion implant deployed alongside Veaty. Spearal uses DNS tunneling for C2, encoding commands in DNS query subdomain strings and decoding responses from DNS reply records. Combined with Veaty's email-channel C2, APT34 operators maintain redundant communication channels that require separate detection approaches to eliminate simultaneously.
STEALHOOK is a data exfiltration module deployed in 2024 and 2025 campaigns following Windows Kernel privilege escalation. STEALHOOK intercepts Exchange account data and exfiltrates it through legitimate API calls that blend with normal enterprise email activity. QUADAGENT is a PowerShell-based backdoor used across multiple campaign generations, executing encoded commands through legitimate web services as C2 channels. ISMAgent handles lateral movement in hardened enterprise environments.
All these malware families are documented in CISA advisory AA26-097A and MITRE ATT&CK G0049. For comparison with how other nation-state APTs weaponize AI to accelerate their intrusion chains, see our analysis of APT28's LameHug malware using LLM commands for post-exploitation.
Subscribe to unlock Indicators of Compromise
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
APT34 Campaign History: 12 Years of Iranian State Cyber Operations
APT34's operational history spans 12 years and shows consistent escalation of target scope, technical sophistication, and willingness to execute destructive attacks rather than pure espionage.
The group's earliest documented operations in 2014 focused on credential harvesting from Middle Eastern government and energy organizations aligned with US and Israeli interests. By 2017, Mandiant had assembled sufficient evidence to publicly attribute APT34 to Iran, revealing a custom malware ecosystem and a victim roster spanning six countries and multiple sectors.
The 2019 LinkedIn spearphishing campaign demonstrated the group's social engineering sophistication: APT34 operators posed as Cambridge University researchers to deliver Tricklist malware to targeted professionals, exploiting the trust afforded to academic outreach on professional networks. Mandiant's public disclosure of this campaign: titled "Hard Pass: Declining APT34's Invite to Join Their Professional Network": forced the group to retire compromised infrastructure and rebuild.
A 2024 multi-stage intrusion campaign against Iraqi government entities introduced Veaty and Spearal, demonstrating APT34's continued malware development investment and adaptation to hardened enterprise perimeters. This campaign combined public-facing application exploitation with novel email-channel C2 to establish persistent access even in environments with strict firewall egress controls.
The March 2026 retaliatory surge following Operation Epic Fury represents the group's most aggressive and geographically broad campaign targeting US infrastructure. The simultaneous combination of government network intrusion, PLC exploitation across physical infrastructure, and credential harvesting across private sector targets shows APT34 executing coordinated, multi-vector campaign operations rather than opportunistic targeting.
March 2, 2026: Operation Epic Fury nuclear strike
US and Israel conduct joint military strike on Iranian nuclear facilities at Natanz and Fordow. APT34 begins accelerating operations within hours across all documented victim sectors.
March-April 2026: APT34 PLC exploitation surge
APT34 and affiliated IRGC actors exploit internet-facing Rockwell Automation PLCs across US water, energy, and government facilities. HMI and SCADA data manipulation confirmed at multiple sites.
April 7, 2026: CISA issues advisory AA26-097A
FBI, CISA, NSA, EPA, and US Cyber Command jointly confirm Iranian APT exploitation of PLCs across three US critical infrastructure sectors and issue mandatory defensive guidance.
Detecting APT34 OilRig Activity in Your Environment
APT34's reliance on DNS tunneling, email-channel C2, and PowerShell creates specific detection opportunities that standard perimeter monitoring misses. Effective detection requires behavioral analytics against clean baselines and visibility into both IT and OT network segments.
The hunting steps below target APT34's documented TTPs. Federal agencies must treat these as mandatory under CISA advisory AA26-097A. Private sector organizations in energy, water, government contracting, telecommunications, and financial services should treat them as urgent given APT34's confirmed current targeting priorities.
Enable and baseline DNS query logging across all resolvers
Enable full DNS query logging at your DNS resolvers and establish a per-host baseline of normal query volumes and domain patterns. Alert on any host generating more than 500 DNS queries per hour, queries with subdomains longer than 40 characters, or queries to domains registered in the past 30 days. APT34's Spearal backdoor generates statistically anomalous DNS patterns that are detectable against a clean baseline but invisible without query-level logging.
Enable PowerShell script block and module logging
Enable PowerShell script block logging (Event ID 4104) and module logging (Event ID 4103) across all Windows endpoints. Alert on Base64-encoded -EncodedCommand execution, PowerShell spawned from non-administrative accounts, and PowerShell processes making outbound network connections. APT34 uses encoded PowerShell as a consistent first-stage execution method across QUADAGENT and all documented campaign variants.
Monitor Exchange EWS API call volumes for server-side anomalies
Review Microsoft 365 audit logs for Exchange Web Services API calls from server-side processes, non-human service accounts accessing mailbox folders, and email read operations on high-value target mailboxes. APT34's Veaty backdoor reads and writes emails as its C2 channel, generating API call patterns inconsistent with normal user behavior. Baseline per-mailbox API call volumes to detect Veaty-pattern communication.
Audit PLC and HMI access logs for unauthorized Ladder Logic changes
Review Ladder Logic change logs on Rockwell Automation and Allen-Bradley PLCs for any modifications not initiated by authorized engineering workstations during approved maintenance windows. Compare sensor values displayed on HMI screens against physical sensor readings to detect SCADA data manipulation. CISA AA26-097A specifically documents attackers falsifying HMI displays to mask physical infrastructure attacks.
Hunt for web shells on internet-facing servers
Audit all public-facing web and application servers for PHP, ASPX, JSP, or other server-side script files in directories that should contain only static content. APT34 deploys web shells as a primary persistence mechanism following initial exploitation. Files with creation timestamps newer than your last verified deployment in media or upload directories are high-priority web shell candidates.
Correlate spearphishing attempts with authentication events
Cross-reference spearphishing attempts captured by email security tooling against authentication logs for the targeted accounts over the following 72 hours. APT34 moves immediately from a successful phish to credential use against VPN, Outlook Web Access, and internal application logins. A spearphishing click followed by authentication from an unexpected IP or device is a confirmed intrusion indicator requiring immediate investigation.
Review cloud service egress for server-initiated API connections
Audit outbound connections to OneDrive, SharePoint, GitHub, and other cloud service APIs originating from server processes rather than user workstations. APT34 routes C2 traffic through legitimate cloud service APIs, making connections appear benign at the network layer. Server processes initiating cloud API calls without a documented business justification that predates any suspicious activity should be treated as potential C2 communication.
Why APT34 OilRig Matters for Your Organization This Week
APT34 OilRig's current operational surge extends well beyond the traditional Middle Eastern target set that defined the group's first decade. The post-Operation Epic Fury campaign represents a deliberate shift to US critical infrastructure as a primary theater of operations, with state authorization for destructive attacks rather than intelligence collection only.
The organizations most exposed right now include operators of industrial control systems connected to corporate IT networks, municipal and federal government agencies, telecommunications infrastructure providers, defense contractors with Middle East program exposure, and healthcare and financial organizations that share supply chain relationships with any of these primary targets. APT34 historically uses trusted third-party access as a force multiplier, compromising a contractor or vendor to reach the primary high-value target: meaning exposure is not limited to organizations that appear directly in APT34's known victim list.
The 2026 average adversary breakout time of 72 minutes: a fourfold reduction from 2022 averages: means APT34 operators who achieve initial access through a successful spearphish can reach domain administrator privileges before most security teams complete their first incident response call. This speed requirement demands pre-positioned detection infrastructure rather than reactive analysis. DNS query logging, PowerShell auditing, and PLC change monitoring must be active before the intrusion begins, not configured during response.
The direct US-Iran military conflict context means APT34 operations carry explicit geopolitical authorization at the highest levels of the Iranian government. Unlike financially motivated cybercriminal groups that moderate activity in response to law enforcement pressure, APT34 will continue operating and escalating as long as the military conflict continues. The CISA advisory AA26-097A, the MITRE ATT&CK G0049 TTP documentation, and the detection steps above represent the complete available defensive posture against a group that is active, well-resourced, and geopolitically motivated to escalate.
The bottom line
APT34 OilRig is Iran's most active state-sponsored APT group and is executing a confirmed retaliatory campaign against US critical infrastructure following Operation Epic Fury. Three actions this week: enable DNS query logging with anomaly alerts for high-entropy subdomains, audit Rockwell and Allen-Bradley PLC Ladder Logic change logs for unauthorized modifications, and review Exchange EWS API call volumes for Veaty-pattern C2 activity. APT34 has moved from pure espionage into destructive PLC attacks against water and energy systems: the threat is active, state-authorized, and escalating.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
Who is APT34 OilRig?
APT34, also known as OilRig, Helix Kitten, or Hazel Sandstorm, is an Iranian state-sponsored cyber espionage and sabotage group attributed to the Islamic Revolutionary Guard Corps (IRGC). Active since at least 2014, the group targets governments, critical infrastructure, telecommunications, and financial organizations across the Middle East, United States, and allied nations. MITRE ATT&CK documents the group under identifier G0049 with a comprehensive TTP catalog spanning 12 years of documented operations.
What TTPs does APT34 OilRig use?
APT34 uses spearphishing (T1566.001) and exploitation of public-facing applications (T1190) for initial access, PowerShell and Visual Basic (T1059) for execution, web shells (T1505.003) and valid accounts (T1078) for persistence, and DNS tunneling (T1071.004) combined with cloud service abuse (T1102) for command and control. The group's Veaty backdoor routes C2 through compromised Exchange mailboxes, making standard network monitoring ineffective for detecting active APT34 communications.
Which sectors does APT34 target in 2026?
In the current 2026 campaign, APT34 is actively targeting US water and wastewater systems, energy generation facilities, and government operations centers: all confirmed in CISA advisory AA26-097A. Historically the group also targets telecommunications providers, financial institutions, defense contractors, and organizations with ties to Saudi Arabia, Israel, and Gulf state governments. Energy and utilities organizations appeared in 66% of all tracked APT campaigns in the past 90 days, with APT34 as a principal attributed actor.
How do I detect APT34 OilRig activity on my network?
Enable DNS query logging and alert on subdomains longer than 40 characters or query rates above 500 per hour per host. Enable PowerShell script block logging and alert on Base64-encoded execution. Monitor Exchange EWS API call volumes for server-side anomalies consistent with Veaty backdoor communications. Review PLC and HMI change logs for unauthorized Ladder Logic modifications. Check public-facing servers for unexpected web shell files. APT34 routes C2 through authorized channels, making behavioral baselines against known-good activity essential for detection.
What malware does APT34 OilRig use in 2026?
APT34's current primary implants are Veaty and Spearal. Veaty communicates by reading and writing emails inside a compromised Exchange or Outlook mailbox, routing all C2 through legitimate email infrastructure. Spearal uses DNS tunneling with high-entropy subdomain encoding for C2. STEALHOOK is an exfiltration module used after privilege escalation to steal Exchange account data. QUADAGENT is a PowerShell backdoor used for execution and lateral movement. ISMAgent handles enterprise lateral movement in hardened environments. All are documented in MITRE ATT&CK G0049.
Has APT34 been sanctioned or indicted?
The US Department of Treasury has sanctioned Iranian entities linked to IRGC cyber operations, and the Department of Justice has unsealed indictments naming Iranian nationals associated with APT-attributed intrusions. No APT34 operator has been extradited or prosecuted, as Iran does not extradite nationals to the United States. Sanctions create financial and travel restrictions on named individuals but do not disrupt active operations. APT34's state backing insulates it from the law enforcement pressure that disrupts financially motivated criminal groups.
What is Operation Epic Fury and how did APT34 respond?
Operation Epic Fury was the joint US-Israeli military strike on Iranian nuclear enrichment facilities at Natanz and Fordow on March 2, 2026. Within 72 hours of the strike, APT34 and affiliated IRGC cyber units dramatically increased operational tempo across all documented victim sectors, matching acceleration patterns observed after the January 2020 Soleimani strike and every subsequent US-Iran military escalation. The retaliatory cyber campaign has included confirmed PLC exploitation at US water and energy facilities, documented in CISA advisory AA26-097A.
What does CISA advisory AA26-097A say about Iranian APTs?
CISA advisory AA26-097A, issued jointly by the FBI, NSA, EPA, Department of Energy, and US Cyber Command on April 7, 2026, confirms that Iranian-affiliated APT actors are actively exploiting internet-connected Rockwell Automation and Allen-Bradley programmable logic controllers across US water and wastewater systems, energy facilities, and government networks. The advisory documents malicious manipulation of HMI and SCADA display data and provides IOC lists, detection guidance, and mandatory remediation requirements for federal agencies.
Sources & references
- CISA Advisory AA26-097A: Iranian-Affiliated Cyber Actors Exploit PLCs Across US Critical Infrastructure
- MITRE ATT&CK: OilRig (G0049)
- SentinelOne: Iranian Cyber Activity Outlook
- SOCRadar: Iran vs. Israel and US Cyber War 2026: Operation Epic Fury Threat Intelligence
- Industrial Cyber: Energy and Utilities Targeted in 66% of Observed APT Campaigns
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
