The threat group known as APT33 and targets the oil and aviation industries has been using a dozen live Command and Control (C&C) servers for extremely narrow targeting, new research showed.
The group puts up multiple layers of obfuscation to run these C&C servers in extremely targeted malware campaigns against organizations in the Middle East, the U.S., and Asia, said Trend Micro’s Feike Hacquebord, Cedric Pernet, and Kenney Lu in a post.
The campaigns, comprising of botnets, consist of a small group of up to a dozen infected computers, are used to gain persistence within the networks of select targets. The malware appears basic, and has limited capabilities that include downloading and running additional malware, the researchers said.
“Among active infections in 2019 are two separate locations of a private American company that offers services related to national security, victims connecting from a university and a college in the U.S., a victim most likely related to the U.S. military, and several victims in the Middle East and Asia,” the researchers said in their post.
APT33 has become more aggressive with the group using the private website of a high-ranking European politician to send spear phishing emails to companies that are part of the supply chain of oil products. In this case, targets included a water facility that is used by the U.S. army for the potable water supply of one of its military bases, the researchers said.
“These attacks have likely resulted in concrete infections in the oil industry,” the researchers said. “For example, in the fall of 2018, we observed communications between a U.K.-based oil company with computer servers in the U.K. and India and an APT33 C&C server. Another European oil company suffered from an APT33 related malware infection on one of their servers in India for at least 3 weeks in November and December 2018. There were several other companies in oil supply chains that had been compromised in the fall of 2018 as well. These compromises indicate a big risk to companies in the oil industry, as APT33 is known to use destructive malware.”
Aside from APT33’s attacks against oil product supply chains, the researcher said they found the group has been using several C&C domains for small botnets comprised of about a dozen bots each.
To hide their tracks, the C&C domains are usually hosted on cloud hosted proxies, the researchers said. These proxies relay URL requests from the infected bots to backends at shared webservers that may host thousands of legitimate domains.
The backends report bot data back to a data aggregator and bot control server that is on a dedicated IP address. The APT33 actors connect to these aggregators via a private VPN network with exit nodes that are changed frequently. The APT33 actors then issue commands to the bots and collect data from the bots using these VPN connections, the researchers said.
APT33 used its private VPN network to access websites of penetration testing companies, webmail, websites on vulnerabilities, and websites related to cryptocurrencies, as well as to read hacker blogs and forums. APT33 also has a clear interest in websites that specialize in the recruitment of employees in the oil and gas industry.
The Trend Micro researchers offered some recommendations.
“The continued modernization of facilities for oil, gas, water, and power is making it more difficult to secure them,” the researchers said. “Outright attacks, readily exploitable vulnerabilities, as well as exposed SCADA/HMI are serious issues.”
Here are some of the best practices:
• Establish a regular patching and update policy for all systems. Download patches as soon as possible to prevent cybercriminals from exploiting these security flaws.
• Improve employee awareness on the latest attack techniques that cybercriminals use.
• IT administrators should apply the principle of least privilege to make monitoring of inbound and outbound traffic easier.
• Install a multi-layered protection system that can detect and block malicious intrusions from the gateway to the endpoint.
Securing supply chains to these complex and often multinational systems is also difficult, as they usually have necessary third-party suppliers that are embedded in their core operations. These parties may be overlooked in terms of security, and vulnerabilities in the communication or connections with them are often targeted by cybercriminals.
APT33 is known to use spear phishing emails to gain entry into a target’s network, and given their malicious activity the threat is definitively serious, the researchers said.