MOIS OilRig cluster

Audio readout of this profile.

Overview

The MOIS OilRig cluster is the principal cyber-operational cluster attributed to Iran's Ministry of Intelligence and Security (Vezarat-e Ettela'at va Amniat-e Keshvar, or VAJA) — the civilian-intelligence service of the Islamic Republic of Iran, distinct from and operationally parallel to the military-intelligence cyber capability of the IRGC Intelligence Organisation (tracked as Charming Kitten / APT35 in this bestiary).¹

The cluster is tracked across the threat-intelligence industry under multiple vendor labels: APT34 (Mandiant), OilRig (Palo Alto Unit 42, the original 2016 designation that gave the cluster its most-cited name), Helix Kitten (CrowdStrike), Greenbug (Symantec), IRN2 (PwC), Cobalt Gypsy (Secureworks), Hazel Sandstorm (Microsoft post-2023 rename), ITG13 (IBM X-Force), and Lyceum (a partially-overlapping designation used by ICS-CERT and several threat-intel vendors for what may be a sub-cluster or affiliated operational unit). See APT designation for the naming-conventions context.²

The MOIS OilRig cluster has a substantially weaker public attribution and indictment record than the parallel IRGC IO cluster. Where the IRGC IO entry includes multiple United States Department of Justice indictments naming approximately 20 named Iranian operators, the MOIS OilRig cluster has a substantially weaker DOJ indictment record — no publicly documented standalone indictment directly targeting OilRig/APT34 operators by name — and limited Treasury sanctions designation. The institutional attribution rests substantially on the technical-intelligence and threat-attribution-methodology work of the threat-intelligence industry and on the Lab Dookhtegan leak of operator-side internal tooling in 2019.³

History & Origins

The publicly-attested operational footprint begins approximately 2014–2015, with what Palo Alto Unit 42's 2016 OilRig disclosure characterised as the first sustained intrusion-and-collection campaign of the cluster against Middle East energy-sector and government targets. The cluster's operational tradecraft profile has remained relatively stable across the period — substantially less doctrinal evolution than the parallel IRGC-IO cluster, and substantially more reliance on commodity tooling and operational patterns common across the broader Middle East regional cyber-threat landscape.⁴

The MOIS's institutional investment in cyber capability is publicly less well-attested than the parallel IRGC investment — the MOIS has historically been a more conservative institutional consumer of operational technology than the IRGC, and the documented operational footprint reflects that institutional culture. The MOIS cyber capability is best characterised as a sustained collection programme against regional adversaries, structured to support the Ministry's broader human-intelligence and political-collection mission rather than to operate independently of it.⁵

Operational footprint (documented)

2014–2017 Middle East energy and government targeting. The foundational documented operational footprint: sustained intrusion-and-collection operations against Saudi Arabian, United Arab Emirates, Qatari, Kuwaiti, Bahraini, and Omani government, energy-sector, and financial-services targets. The operational pattern centred on spearphishing of identified personnel followed by deployment of the cluster's signature implant families (Helminth, ISMAgent, PowRuner, POWBAT) and sustained low-signature collection. Reconstructed in successive Palo Alto Unit 42, Mandiant, and Symantec technical reports.⁶

2017 Saudi Arabian government intrusions. Sustained access to multiple Saudi Arabian government ministries across 2017, documented in successive Saudi National Cybersecurity Authority public assessments and in Symantec's Greenbug technical analyses. The 2017 operational period coincided with the Saudi-Qatari diplomatic crisis and substantially focused on Saudi diplomatic and intelligence-services collection.⁷

**The 2019 Lab Dookhtegan leak.** In March–May 2019 an unidentified actor calling itself Lab Dookhtegan (Persian for "sewn lips" — i.e., those whose lips are sewn shut — a phrase referencing imposed silence) publicly released — on Telegram — a substantial portion of the OilRig cluster's operational tooling, infrastructure inventory, victim list, and named-operator-identity material. The leaked material included the cluster's source code, target lists, intercepted-credential databases, and what the leaker characterised as the institutional identification of approximately six named Iranian operators. The leak is the most significant publicly-attested intelligence-services operational compromise in the publicly-attested cyber record and was the foundational evidence base for subsequent United States Department of Justice unsealed-investigation materials.⁸

Sustained Israeli government and academic targeting. Across the post-2017 period the cluster has conducted sustained intrusion-and-collection operations against Israeli government, defence-industrial, and academic targets — substantially focused on collection of Iranian-related policy, intelligence, and academic research within Israeli institutions. Documented in successive Israel National Cyber Directorate periodic assessments and in Check Point Software, Trend Micro, and Mandiant technical reports.⁹

United States government and corporate targeting (2017 onward). Sustained collection against United States government targets — substantially focused on the Department of State, Department of Energy, and academic-research institutions working on Iranian-related policy questions — and against United States corporate targets in the energy, financial-services, and technology sectors. The operational tempo against United States targets has been substantially lower than the parallel IRGC-IO cluster's United States targeting.¹⁰

Post-October-2023 regional operations. Sustained operations against Israeli government and critical-infrastructure targets during the post-October-2023 Gaza-conflict period, including operational activity overlapping the IRGC IO cluster's parallel operations. The institutional attribution of specific post-2023 operations between MOIS and IRGC IO is publicly less crisp than the pre-2023 record.¹¹

Attribution

The principal public-record attribution of the OilRig cluster to MOIS rests on the Lab Dookhtegan leak of 2019 and on subsequent threat-intelligence-industry technical analyses. The leak material specifically named the operational unit as Rana Intelligence Computing Company (a contractor entity working under MOIS direction) and provided documentary material identifying approximately 12 named Iranian operators by name, photograph, and contact information.¹²

The United States Department of Treasury sanctioned Rana Intelligence Computing Company on 17 September 2020, identifying the entity as a Tehran-based front company used by the Government of Iran to conduct cyber operations, and formally attributing it to the MOIS-linked cluster publicly tracked as APT39 (also known as Chafer and Cadelspy) — a separate cluster from APT34/OilRig. The Treasury designation covered a years-long cyber-collection campaign against Iranian dissidents, journalists, civil-society organisations, and international travel-sector companies. The Rana/APT39 designation is the principal public Treasury attribution of a MOIS contractor cyber-operational entity; the OilRig/APT34 cluster itself lacks a corresponding direct Treasury entity designation.¹³

The Federal Bureau of Investigation Most Wanted Cyber list does not currently include named OilRig / APT34 defendants in the same way as the IRGC IO indictment-related listings. The institutional standing of the MOIS OilRig cluster as a publicly-named threat actor is therefore weaker than the parallel IRGC IO cluster — established through threat-intelligence-industry technical attribution and through one Treasury sanctions designation, but without a substantial DOJ indictment record.¹⁴

See also

• Ministry of Intelligence (MOIS) — parent service
• IRGC Intelligence Organisation — sibling Iranian-state cyber-attribution parent
• IRGC Charming Kitten / APT35 — sibling Iranian-state cyber cluster at the bestiary level
• APT designation — naming-conventions context

Sources & Further Reading

1. Mandiant APT34 threat-actor profile; Palo Alto Networks Unit 42 The OilRig Campaign (October 2016) — the foundational technical disclosure.
2. CrowdStrike Helix Kitten threat-actor profile; Symantec Greenbug technical analyses; PwC threat-intelligence series; Secureworks Cobalt Gypsy profile; Microsoft Threat Intelligence naming convention for Hazel Sandstorm.
3. The Lab Dookhtegan leak (Telegram, March–May 2019); subsequent technical analyses by FireEye / Mandiant, Palo Alto Unit 42, and ClearSky; United States Department of Treasury Treasury Sanctions Iranian Cyber Actors (17 September 2020).
4. Palo Alto Unit 42, The OilRig Campaign, op. cit.; subsequent annual updates of the OilRig technical profile.
5. Peter Sinaiko et al., Center for a New American Security analyses of Iranian state-cyber institutional architecture; subsequent academic analysis in Journal of Strategic Studies.
6. Palo Alto Unit 42 OilRig series (2016–2020); Mandiant APT34 technical reports.
7. Symantec, Greenbug technical analyses; Saudi National Cybersecurity Authority public assessments.
8. Lab Dookhtegan Telegram channel (March–May 2019); subsequent journalistic reconstruction in ZDNet (April 2019); ClearSky Cyber Security technical analyses of the leaked material.
9. Israel National Cyber Directorate periodic threat assessments; Check Point Software OilRig reports; Trend Micro regional-targeting research.
10. Mandiant APT34 threat-actor profile; Insikt Group (Recorded Future) Iranian-state cyber threat-actor periodic profiles.
11. Mandiant post-October-2023 Iranian-state cyber-activity research; Microsoft Threat Intelligence quarterly threat-actor reports.
12. Lab Dookhtegan leak material, op. cit.; ClearSky Cyber Security, Rana Institute technical analysis.
13. Department of Treasury, Treasury Sanctions Iranian Cyber Actors, op. cit. (September 2020).
14. FBI Most Wanted Cyber list; Department of Treasury OFAC sanctions designations.