Recent investigations by security firm FireEye have revealed a sophisticated cyber espionage campaign orchestrated by an Iranian hacking group identified as Advanced Persistent Threat 33 (APT33). This group has been targeting critical sectors, including aerospace, defense, and energy, in the United States, Saudi Arabia, and South Korea since at least 2013. Their operation appears to be highly coordinated, focusing on gathering intelligence and pilfering trade secrets from targeted organizations.
The report asserts that APT33 operates on behalf of the Iranian government, underscoring the group’s alignment with state-sponsored cyber warfare efforts. Evidence indicates that its activities have escalated since May 2016, with successful intrusions into aviation and energy sectors linked to key petrochemical interests.
Victims of APT33’s incursions reportedly include a United States aerospace firm, a Saudi Arabian conglomerate with aviation interests, and a South Korean company involved in oil refining. In a notable incident from May 2017, these attackers employed a deceptive job vacancy lure, targeting employees of both a Saudi organization and a Korean conglomerate through malicious files purportedly linked to a Saudi petrochemical firm.
FireEye’s report also suggests that APT33’s tactics may have been motivated by geopolitical dynamics, indicating an intention to gather intelligence on regional competitors. This could also reflect South Korea’s recent collaborations with Iranian petrochemical enterprises, alongside its relationships with Saudi petrochemical corporations.
APT33 has been known to employ spear phishing techniques, disseminating emails that contain harmful HTML links designed to compromise the cybersecurity of targeted systems. The malware arsenal utilized by the group comprises various tools, including DROPSHOT, a dropper, SHAPESHIFT, a wiper, and TURNEDUP, a custom backdoor that serves as the final payload.
Significantly, previous research by Kaspersky associates DROPSHOT with a variant of the Shamoon 2 malware, recognized for its destructive capabilities against petroleum companies in Europe. FireEye reports have confirmed that APT33 has utilized DROPSHOT to facilitate the installation of TURNEDUP, while also identifying the presence of multiple DROPSHOT samples that deliver SHAPESHIFT malware, known for its ability to wipe hard drives and delete files.
In the past year, APT33 has reportedly sent hundreds of spear phishing emails masquerading as communications from Saudi aviation entities and reputable international organizations, including Boeing and Northrop Grumman. This tactic illustrates the meticulous planning that has characterized their operations.
Furthermore, FireEye associates APT33 with the Nasr Institute, a known Iranian governmental body involved in executing cyber operations. In a related development, researchers from Trend Micro and ClearSky uncovered another Iranian espionage group, dubbed Rocket Kittens. Active since 2013, this group has also directed cyber efforts against entities in Israel, Saudi Arabia, and beyond.
Despite the distinct activities of these two groups, FireEye’s findings do not suggest any direct connections between them. For a comprehensive understanding of APT33’s operational methodologies and the specific MITRE ATT&CK tactics employed—such as initial access, persistence, and privilege escalation—further insights are available in FireEye’s published materials.
Maintaining cybersecurity vigilance is imperative for organizations potentially within the crosshairs of these sophisticated cyber operations. Business owners are encouraged to bolster their defenses, particularly against social engineering attacks like spear phishing, to mitigate risks associated with such threats.