Revealing the operations of Iranian hacking group APT33, US-based cyber security firm FireEye said on Thursday the cybercriminals, who have targeted the energy and aviation sectors, are likely to have worked with the Iranian government. APT33 has carried out cyber espionage operations since at least 2013 and has targeted organisations headquartered in the US, Saudi Arabia and South Korea. APT33’s targeting of organisations aligns with nation-state interests, implying that the threat actor is most likely government sponsored.
This, coupled with the timing of operations which coincides with Iranian working hours and the use of multiple Iranian hacker tools and name servers, bolsters the assessment that APT33 is likely to have operated on behalf of the Iranian government. “Iran has repeatedly demonstrated a willingness to globally leverage its cyber espionage capabilities. Its aggressive use of this tool, combined with shifting geopolitics, underscore the danger that APT33 poses to governments and commercial interests in the Middle East and throughout the world,” John Hultquist, Director of Cyber Espionage Analysis at FireEye, said in a statement.
“Identifying this group and its destructive capability presents an opportunity for organizations to detect and deal with related threats proactively,” added Hultquist. According to the report, the group has shown particular interest in organisations in the aviation sector involved in both military and commercial capacities, as well as organisations in the energy sector with ties to petrochemical production.
The group sent spear phishing emails to employees whose jobs related to the aviation industry. These emails included recruitment themed lures and contained links to malicious HTML application files. From mid-2016 through early 2017, APT33 compromised a US organisation in the aviation sector and targeted a business conglomerate located in Saudi Arabia with aviation holdings.
During the same time period, the group also targeted a South Korean company involved in oil refining and petrochemicals. In May 2017, APT33 appeared to target a Saudi Arabian organization and a South Korean business conglomerate using a malicious file that attempted to entice victims with job vacancies for a Saudi Arabian petrochemical company.