Recent investigations by FireEye’s Mandiant incident response consultants combined with FireEye iSIGHT Threat Intelligence analysis have given us a more complete picture of APT33’s operations, capabilities, and potential motivations. This blog highlights some of our analysis. Our detailed report on FireEye MySIGHT contains a more thorough review of our supporting evidence and analysis. We will also be discussing this threat group further during our webinar on Sept. 21 at 8 a.m. ET.
APT33 has targeted organizations – spanning multiple industries – headquartered in the United States, Saudi Arabia and South Korea. APT33 has shown particular interest in organizations in the aviation sector involved in both military and commercial capacities, as well as organizations in the energy sector with ties to petrochemical production.
From mid-2016 through early 2017, APT33 compromised a U.S. organization in the aerospace sector and targeted a business conglomerate located in Saudi Arabia with aviation holdings.
During the same time period, APT33 also targeted a South Korean company involved in oil refining and petrochemicals. More recently, in May 2017, APT33 appeared to target a Saudi organization and a South Korean business conglomerate using a malicious file that attempted to entice victims with job vacancies for a Saudi Arabian petrochemical company.
We assess the targeting of multiple companies with aviation-related partnerships to Saudi Arabia indicates that APT33 may possibly be looking to gain insights on Saudi Arabia’s military aviation capabilities to enhance Iran’s domestic aviation capabilities or to support Iran’s military and strategic decision making vis a vis Saudi Arabia.
We believe the targeting of the Saudi organization may have been an attempt to gain insight into regional rivals, while the targeting of South Korean companies may be due to South Korea’s recent partnerships with Iran’s petrochemical industry as well as South Korea’s relationships with Saudi petrochemical companies. Iran has expressed interest in growing their petrochemical industry and often posited this expansion in competition to Saudi petrochemical companies. APT33 may have targeted these organizations as a result of Iran’s desire to expand its own petrochemical production and improve its competitiveness within the region.
The generalized targeting of organizations involved in energy and petrochemicals mirrors previously observed targeting by other suspected Iranian threat groups, indicating a common interest in the sectors across Iranian actors.
APT33 sent spear phishing emails to employees whose jobs related to the aviation industry. These emails included recruitment themed lures and contained links to malicious HTML application (.hta) files. The .hta files contained job descriptions and links to legitimate job postings on popular employment websites that would be relevant to the targeted individuals.
An example .hta file excerpt is provided in Figure 2. To the user, the file would appear as benign references to legitimate job postings; however, unbeknownst to the user, the .hta file also contained embedded code that automatically downloaded a custom APT33 backdoor.
We assess APT33 used a built-in phishing module within the publicly available ALFA TEaM Shell (aka ALFASHELL) to send hundreds of spear phishing emails to targeted individuals in 2016. Many of the phishing emails appeared legitimate – they referenced a specific job opportunity and salary, provided a link to the spoofed company’s employment website, and even included the spoofed company’s Equal Opportunity hiring statement. However, in a few cases, APT33 operators left in the default values of the shell’s phishing module. These appear to be mistakes, as minutes after sending the emails with the default values, APT33 sent emails to the same recipients with the default values removed.
Iran Briefing | News Press Focus on Human Rights Violation by IRGC, Iran Human Rights
Apr 24, 2019 Comments Off on Workers’ Rights Activists Arrested for Revealing Torture by Intelligence Ministry Held Unlawfully
Apr 24, 2019 Comments Off on Trump Administration Sends Warning To Countries That Continue To Import Oil From Iran
Apr 22, 2019 Comments Off on Rights Group Calls On Iran To Release Women’s Rights Activists
Apr 22, 2019 Comments Off on Ex-general Says IRGC Was in Bosnia Disguised as Aid Workers
Apr 24, 2019 Comments Off on Trump Administration Sends Warning To Countries That Continue To Import Oil From IranTrump Administration Sends Warning To Countries That Continue To Import Oil From Iran Trump Administration Sends Warning To Countries That Continue To Import Oil From Iran The Trump administration is sending a warning...
Apr 17, 2019 Comments Off on Iran Guard’s Former General Says They Were In Bosnia Disguised As Aid WorkersIran Guard’s Former General Says They Were In Bosnia Disguised As Aid Workers Iran Guard’s Former General Says They Were In Bosnia Disguised As Aid Workers Iran’s Islamic Revolution Guards Corps (IRGC)...
Mar 27, 2019 Comments Off on U.S. sanctions firms accused of helping fund Iran’s Revolutionary GuardsU.S. sanctions firms accused of helping fund Iran’s Revolutionary Guards U.S. sanctions firms accused of helping fund Iran’s Revolutionary Guards The United States on Tuesday imposed fresh sanctions on a network of companies and people in Iran, Turkey and the United Arab Emirates it...