A cyber espionage group, targeting aerospace, defence and energy organisations in the United States, Saudi Arabia and South Korea has been recently uncovered by security researchers. In a research published on Wednesday, the US security firm FireEye stated that an Iranian hacking group by the name Advanced Persistent Threat 33 (APT33) has been targeting critical infrastructure, energy and military sectors. The massive cyber-espionage operation to gather intelligence and steal trade secrets has been going on since 2013 claimed the research findings.
The security firm also confirmed saying it has evidence that APT33 operations are being backed by the Iran government.
The research finding of FireEye suggests that cyber attacks have been carried out by APT33 since at least 2016. They have been successful in targeting aviation sector—both military and commercial as well as organisations in the energy sector with a link to petrochemical.
The organisation under the APT33 attacks is a US firm in the aerospace sector, a Saudi Arabian business conglomerate with aviation holdings, and a South Korean company involved in oil refining and petrochemicals.
In the latest incident in May 2017, APT33 targeted employees of a Saudi organisation and a South Korean business conglomerate. This attack involved the use of malicious files to tempt the employees with job vacancies for a Saudi Arabian petrochemical company.
The FireEye report says-
We believe the targeting of the Saudi organisation may have been an attempt to gain insight into regional rivals, while the targeting of South Korean companies may be due to South Korea’s recent partnerships with Iran’s petrochemical industry as well as South Korea’s relationships with Saudi petrochemical companies.
Modus operandi of APT33 is by sending spear phishing emails to the targeted organisation with malicious HTML links to infect targets computers with malware. The various malware used bye APT33 in its operations are in the operations are DROPSHOT (dropper), SHAPESHIFT (wiper) and TURNEDUP (custom backdoor, which is the final payload).
Earlier reports released by Kaspersky suggest DROPSHOT was tracked by its researchers as Stone Drill disk-wiping malware, which targeted petroleum company in Europe and believed to be an updated version of Shamoon 2 malware.
In its report, Kaspersky said – “Although we have only directly observed APT33 use DROPSHOT to deliver the TURNEDUP backdoor, we have identified multiple DROPSHOT samples in the wild that drop SHAPESHIFT.”
The SHAPESHIFT malware is able to wipe disks, erase volumes and delete files, depending on its configuration.
The FireEye finding suggests APT33 has been sending hundreds of spear phishing emails last year from several domains. These were being mimicked as Saudi aviation companies and international organisations, including Boeing, Alsalam Aircraft Company and Northrop Grumman Aviation Arabia.
Further, the security firms finding suggest the APT33 is linked to Nasr Institute, an Iranian government organisation known for conducting cyber warfare operations.
An earlier event in July researchers at Trend Micro and ClearSky an Israeli firm discovered a similar Iranian espionage group named Rocket Kittens. The Rocket Kittens has also been active since 2013 and targeting organisations and individuals including diplomats and researchers, in Israel, Saudi Arabia, Turkey, the United States, Jordan and Germany.
Though the group operates similarly the current finding by FireEye in its blog does not mention any links between both the hacking groups.