Iran seems to be a hotbed of cyber espionage activity as researchers linked one group focusing on aerospace and energy companies.
The group, which security firm FireEye is calling APT33, has been linked to the Iranian government and in existence for at least four years and is now targeting companies in the U.S., Saudi Arabia and South Korea.
Since mid-2016, the security firm has spotted attacks aimed by this group at the aviation sector, including military and commercial aviation, and energy companies with connections to petrochemical production, FireEye researchers said in a blog post, written by Jaqueline O’Leary, Josiah Kimble, Kelli Vanderlee, and Nalani Fraser.
“APT33 has targeted organizations – spanning multiple industries – headquartered in the United States, Saudi Arabia and South Korea,” the researchers said. “APT33 has shown particular interest in organizations in the aviation sector involved in both military and commercial capacities, as well as organizations in the energy sector with ties to petrochemical production.”
The attackers focused on a U.S. aerospace company, a Saudi Arabian business with aviation holdings, and a South Korean firm involved in oil refining and petrochemicals.
In addition, the hackers used job vacancies at a Saudi Arabian petrochemical firm to target the employees of organizations in South Korea and Saudi Arabia.
“We assess the targeting of multiple companies with aviation-related partnerships to Saudi Arabia indicates that APT33 may possibly be looking to gain insights on Saudi Arabia’s military aviation capabilities to enhance Iran’s domestic aviation capabilities or to support Iran’s military and strategic decision making vis a vis Saudi Arabia,” the researchers said.
“We believe the targeting of the Saudi organization may have been an attempt to gain insight into regional rivals, while the targeting of South Korean companies may be due to South Korea’s recent partnerships with Iran’s petrochemical industry as well as South Korea’s relationships with Saudi petrochemical companies,” the company added.
“The emergence of the Iranian hacker group APT33 reinforces the concerns of cybersecurity stakeholders that have been highlighted in the 2017 SANS Survey, regarding the fact that this hacking group seems to be state-funded and is actively targeting industrial networks using conventional IT network channels,” said Edgard Capdevielle, chief executive of Nozomi Networks. “In the case of APT33, the group attacks their targets using job recruitment phishing emails aimed at the aerospace industry. While the geo-political motivations of APT33 are targeted against Saudi Arabian interests for now, global aerospace and energy organizations should take notice of APT33’s methods of attack to implement proper detection and remediation strategies.”
According to FireEye, the cyber espionage group sent hundreds of spear phishing emails last year. They set up several domains made to look as if they belonged to Saudi aviation firms and international organizations that work with them, including Alsalam Aircraft Company, Boeing and Northrop Grumman Aviation Arabia.
The malware used by the group includes a dropper tracked by FireEye as DROPSHOT, a wiper named SHAPESHIFT, and a backdoor called TURNEDUP. DROPSHOT was previously analyzed by Kaspersky, which tracks it as StoneDrill.
“We assess an actor using the handle “xman_1365_x” may have been involved in the development and potential use of APT33’s TURNEDUP backdoor due to the inclusion of the handle in the processing-debugging (PDB) paths of many of TURNEDUP samples,” the researchers said.
In short, FireEye researchers said the attackers were seeking information to help the government’s various causes.
“Based on observed targeting, we believe APT33 engages in strategic espionage by targeting geographically diverse organizations across multiple industries,” the researchers said. “Specifically, the targeting of organizations in the aerospace and energy sectors indicates that the threat group is likely in search of strategic intelligence capable of benefitting a government or military sponsor. APT33’s use of multiple custom backdoors suggests that they have access to some of their own development resources, with which they can support their operations, while also making use of publicly available tools. The ties to SHAPESHIFT may suggest that APT33 engages in destructive operations or that they share tools or a developer with another Iran-based threat group that conducts destructive operations.