FireEye uncovers ‘destructive’ Iran govt-linked hacking group APT33

Says group has successfully compromised a US-based aviation firm

SECURITY COMPANY FireEye has revealed details of an Iranian hacking group, dubbed APT33, that it believes has “destructive capabilities.”

According to analysis from FireEye, APT33 has carried out cyber espionage operations since at least 2013, and the firm believes that the hackers are likely to be working for the Iranian government.

FireEye Mandiant’s incident response consultants found that APT33 had targeted organisations in a number of industries that were headquartered in the US, Saudi Arabia, and South Korea.

The group has allegedly shown “particular interest in organisations in the aviation sector, involved in both military and commercial capacities, as well as organisations in the energy sector with ties to petrochemical production”.

FireEye did not mention any specific companies, but said that APT33 had compromised a US-based aviation firm, and a business conglomerate located in Saudi Arabia that has aviation holdings. It simultaneously targeted a Saudi Arabian organisation and a South Korean business conglomerate using a malicious file that enticed victims with job vacancies for a Saudi Arabian petrochemical company.

FireEye suggested that APT33 may have targeted these organisations to help Iran expand its own petrochemical production and improve competitiveness within the region.

Spear phishing e-mails were sent to employees whose jobs related to the aviation industry, asking them to click on links. 

However, FireEye noticed mistakes by the APT33 operators, with default values left in the shell’s phishing module. Minutes after sending the emails with the default values, the group sent new emails to the same recipients with the default values removed.

APT33 also allegedly registered multiple domains relating to the targeted companies, which may also have been used in the phishing attacks.

The security company said APT33’s targeting of companies with links in aviation and energy aligns with nation-state interests, which suggests that the hackers are government sponsored.  

LEAVE A REPLY

Please enter your comment!
Please enter your name here

20 + 16 =