Iranian cyber spies APT33 target aerospace and energy organizations

The Iran-linked APT33 group has been targeting aerospace and energy organizations in the United States, Saudi Arabia, and South Korea.

According to security firm FireEye, a cyber espionage group linked to the Iranian Government, dubbed APT33, has been targeting aerospace and energy organizations in the United States, Saudi Arabia, and South Korea.

The APT33 group has been around since at least 2013, since mid-2016, the group targeted the aviation industry and energy companies with connections to petrochemical production.

“From mid-2016 through early 2017, APT33 compromised a U.S. organization in the aerospace sector and targeted a business conglomerate located in Saudi Arabia with aviation holdings.” reads a blog post published by FireEye.

“During the same time period, APT33 also targeted a South Korean company involved in oil refining and petrochemicals. More recently, in May 2017, APT33 appeared to target a Saudi organization and a South Korean business conglomerate using a malicious file that attempted to entice victims with job vacancies for a Saudi Arabian petrochemical company.”

According to the experts, the APT33 group is gathering information on Saudi Arabia’s military aviation capabilities to gain insight into rivals in the MiddleEast.

“We assess the targeting of multiple companies with aviation-related partnerships to Saudi Arabia indicates that APT33 may possibly be looking to gain insights on Saudi Arabia’s military aviation capabilities to enhance Iran’s domestic aviation capabilities or to support Iran’s military and strategic decision making vis a vis Saudi Arabia,” continues FireEye.

“We believe the targeting of the Saudi organization may have been an attempt to gain insight into regional rivals, while the targeting of South Korean companies may be due to South Korea’s recent partnerships with Iran’s petrochemical industry as well as South Korea’s relationships with Saudi petrochemical companies,” 

The cyberspies leverage spear phishing emails sent to employees whose jobs related to the aviation industry.

The recruitment themed messages contained links to malicious HTML application (.hta) files. The .hta files contained job descriptions and links to legitimate job postings on popular employment websites that would be of interest for the victims.

The experts noticed APT33 used a built-in phishing module within the publicly available ALFA TEaM Shell (aka ALFASHELL) to send phishing messages to targeted individuals in 2016.

The attackers set up several domains that appeared as belonging to Saudi aviation firms and other companies that work with them, including Alsalam Aircraft Company, Boeing and Northrop Grumman Aviation Arabia.

The malware used by the APT33 group includes a dropper dubbed DROPSHOT that has been linked to the wiper malware SHAPESHIFT, tracked by Kaspersky as StoneDrill, used in targeted attacks against organizations in Saudi Arabia. The arsenal of the group also includes a backdoor called TURNEDUP.

Kaspersky experts linked the StoneDrill malware to the Shamoon 2 and Charming Kitten (aka Newscaster and NewsBeef), a threat actor believed to be operating out of Iran.

The researchers identified an actor using the handle “xman_1365_x” that has been involved in the development and use of the TURNEDUP backdoor.

“Xman_1365_x was also a community manager in the Barnamenevis Iranian programming and software engineering forum, and registered accounts in the well-known Iranian Shabgard and Ashiyane forums, though we did not find evidence to suggest that this actor was ever a formal member of the Shabgard or Ashiyane hacktivist groups.” continues FireEye.

FireEye cited open source reporting links the “xman_1365_x” actor to the “Nasr Institute,” which is the equivalent to Iran’s “cyber army” and directly controlled by the Iranian government.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Iran, APT33)

[adrotate banner=”5″]

[adrotate banner=”13″]