Iranian threat actor APT33 targets Saudi aviation and energy sectors
FireEye, the intelligence-led security company, announced details of an Iranian hacking group with potential destructive capabilities which FireEye has named APT33. FireEye analysis reveals that APT33 has carried out cyber espionage operations since at least 2013 and is likely to work for the Iranian government. This information comes from recent investigations by FireEye Mandiant incident response consultants combined with FireEye iSIGHT Threat Intelligence analysis which uncovered information on APT33’s operations, capabilities, and potential motivations.
APT33 has targeted organisations – spanning multiple industries – headquartered in the United States, Saudi Arabia and South Korea. The group has shown particular interest in organisations in the aviation sector involved in both military and commercial capacities, as well as organisations in the energy sector with ties to petrochemical production.
From mid-2016 through early 2017, APT33 compromised a US organisation in the aviation sector and targeted a business conglomerate located in Saudi Arabia with aviation holdings. During the same time period, the group also targeted a South Korean company involved in oil refining and petrochemicals. In May 2017, APT33 appeared to target a Saudi Arabian organisation and a South Korean business conglomerate using a malicious file that attempted to entice victims with job vacancies for a Saudi Arabian petrochemical company.
FireEye analysts believe the targeting of the Saudi Arabian organisation may have been an attempt to gain insight into regional rivals, while the targeting of South Korean companies could be due to South Korea’s partnerships with Iran’s petrochemical industry as well as South Korea’s relationships with Saudi Arabian petrochemical companies. APT33 may have targeted these organisations as a result of Iran’s desire to expand its own petrochemical production and improve its competitiveness within the region.
The group sent spear phishing emails to employees whose jobs related to the aviation industry. These emails included recruitment themed lures and contained links to malicious HTML application files. The files contained job descriptions and links to legitimate job postings on popular employment websites that would be relevant to the targeted individuals.
In a few cases, APT33 operators left in the default values of the shell’s phishing module. These appear to be mistakes, as minutes after sending the emails with the default values, the group sent emails to the same recipients with the default values removed.
APT33 registered multiple domains that masquerade as Saudi Arabian aviation companies and Western organisations that have partnerships to provide training, maintenance and support for Saudi Arabia’s military and commercial fleet. Based on observed targeting patterns, APT33 likely used these domains in spear phishing emails to target victim organisations.
APT33’s targeting of organisations involved in aviation and energy most closely aligns with nation-state interests, implying that the threat actor is most likely government sponsored. This coupled with the timing of operations – which coincides with Iranian working hours – and the use of multiple Iranian hacker tools and name servers bolsters the FireEye assessment that APT33 is likely to have operated on behalf of the Iranian government.
John Hultquist, Director of Intelligence Analysis at FireEye said, “Iran has repeatedly demonstrated a willingness to globally leverage its cyber espionage capabilities. Its aggressive use of this tool, combined with shifting geopolitics, underscore the danger that APT33 poses to governments and commercial interests in the Middle East and throughout the world. Identifying this group and its destructive capability presents an opportunity for organisations to detect and deal with related threats proactively.”