Cyber Incident Victim: APT34
Date:
Mar 2019
Location:
Iran
Summary
A hacker group known as Lab Dookhtegan exposed the operations of Iranian state-linked APT34 (OilRig/HelixKitten) by leaking internal data through a Telegram channel. The breach revealed infrastructure details, custom hacking tools—including Poison Frog and Glimpse backdoors—and compromised web shells, alongside personal information of alleged group members affiliated with Iran’s Ministry of Intelligence. Targets included Middle Eastern government offices and organizations, with compromised credentials altered to disrupt access. The disclosure aimed to undermine Iranian cyber capabilities, forcing operational retooling, though analysts noted most leaked tools required significant modification for reuse. The leaks also contained calls for further exposure of the regime’s activities by Iranian citizens.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On March 26, 2019, a hacking entity identifying as Lab Dookhtegan initiated a public exposure campaign targeting the Iranian state-sponsored cyber-espionage group APT34, also known as OilRig or HelixKitten. Through a dedicated Telegram channel, Dookhtegan released extensive operational details, including infrastructure configurations, custom hacking tools, internal member identities, and victim information. The leak encompassed source code for multiple proprietary tools—Poison Frog, Glimpse (PowerShell backdoors), HyperShell, HighShell, Fox Panel, and Webmask—along with URLs and access credentials for web shells deployed on compromised servers globally. Compromised credentials from victim organizations were altered to display the phrase 'Th!sN0tF0rFAN' as a marker of the breach. Affected entities spanned Middle Eastern governmental and commercial organizations, including Dubai Media Inc., Etihad Airways, and government offices in Kuwait and Oman. Chronicle, Alphabet’s cybersecurity subsidiary, confirmed the legitimacy of the leaked data as originating from APT34’s operations.
Lab Dookhtegan supplemented technical disclosures with personally identifiable information of alleged APT34 operatives and Iranian Ministry of Intelligence personnel, including names, phone numbers, email addresses, and photographs. The group announced plans to periodically release additional Ministry staff details, framing the leaks as an effort to undermine the Iranian regime’s cyber capabilities and inspire domestic opposition. Chronicle analysts assessed that the exposure would force APT34 to retool infrastructure and modify tactics, disrupting ongoing operations. While tools like Poison Frog and Glimpse contained modifiable code, most leaked assets were functionally limited (“hamstrung”), reducing their utility for widespread reuse without significant adaptation. The campaign highlighted APT34’s targeting patterns and operational methodologies, providing defenders with actionable intelligence on compromised systems and attacker techniques.