top of page
  • FC

What we can learn from the APT34 leak

The Iranian hacking group known as APT34/Oilrig/HelixKitten have had a breach of their own: a dump of the breach has now been made available on the web. The leak includes sets of tools, including Glimpse, PoisonFrog, Hypershell, HighShell, FoxPanel and WebMask and also included a bunch of breached passwords gained via these tools and others.

We speak at hundreds of events, c-suite workshops and general awareness sessions for clients and one of the most common questions that we've been asked over the last couple of years is "how can we stop Nation State attackers?".

We always tell people that whilst Nation State groups generally have incredible skills, people and resources as well as the drive to perform, they will always start with the easiest vulnerabilities. Why waste an expensive zero-day exploit when someone has a terrible password?

This post is not about the APT34/Oilrig/HelixKitten tools, where they came from or what they could potentially be used to access. This post is purely looking at what the passwords gathered tell us about the security culture of the organisations and government departments that were breached.

Within the breach data is roughly 12,500 passwords, which range from domain accounts through to webmail passwords.

Some of the passwords contain information which would identify the organisation from which they were taken. This highlights a common security issue with passwords: people sometimes use the company name as part of the password they use within that company, which obviously makes that password much easier to crack. To prevent revealing the organisations involved in the breach in this blog post, we will not print the top ten used passwords as eight of them contain identifying information. The top two do not and they are:

eysb@123 123456 Almost 1000 accounts use either one of the above passwords and only 5,715 passwords out of the 12,500 are unique. It is clear that password reuse is still a major problem in all of the organisations breached.

We can also analyse the length of passwords, with most passwords not exceeding 11 characters, implying a lack of awareness regarding the fact that short passwords are incredibly easy to crack. A shocking 5% of passwords were 6 or less characters! It would be easy at this point to blame individuals for poor password choice and management, but that would not be fair. Most people now have to manage a mind-boggling number of passwords and they are just not able to remember a large number of complicated, unique passwords. This breach, like so many, shows why we need to provide people with access to, and training in, password managers.

Some other interesting statistics can be drawn from the passwords, such as 5,189 passwords started with a capital letter and ended with a number, almost 4,000 ended with 3 numbers, with obviously the most popular ending being 123 (as in password123).

Whilst nearly 5,000 passwords were mixed case and included a special character and number, which shows that people are using complex password structures, we can see from other stats that they are not creating complicated passwords. Thus proving that complexity of characters can be usurped by poor length and easy to guess words/structure.

So let this stand as proof to those that are worried about Nation State attackers: whether you are being targeted by a script kiddie, an organised criminal gang or a Nation State, they all start by attacking the easiest route in. Start with the security foundations, because that's where they will start, too.

Many thanks to DigiNinja for his excellent tool Pipal (a password analysis tool by DigiNinja )


Related Posts

See All

2 comentarios

Agnes Lizzy
Agnes Lizzy
14 oct 2023

Contact him for any type of hacking, he is a professional hacker that specializes in exposing cheating spouses, and every other hacking related issues. he is a cyber guru, he helps catch cheating spouses by hacking their communications like call, Facebook, text, emails, Skype, whats-app and many more. I have used this service before and he did a very good job, he gave me every proof I needed to know that my fiancee was cheating. You can contact him on his email to help you catch your cheating spouse, or for any other hacking related problems, like hacking websites, bank statement, grades and many more. he will definitely help you, he has helped a lot of people, contact him on,…

Me gusta

Janet Lucy
Janet Lucy
12 oct 2023

I’m excited to write about Henry Hacker, he is a great and brilliant hacker who penetrated my spouse’s phone without a physical installation app. And I was able to access my spouse’s phone, SMS, Whatsapp, Instagram, Facebook, Wechat, Snapchat, Call Logs, Kik, Twitter and all social media. The most amazing thing there is that he restores all phone deleted text messages. And I also have access to everything including the phone gallery without touching the phone.I can see the whole secret of my spouse. Contact him for any hacking service. He is also a genius in repairing Credit Score, increasing school grade, Clear Criminal Record etc. His service is fast. Contact:, and you can text, call him on whatsapp…

Me gusta
bottom of page