Hacking Group With Possible Links to Iran Discovered by Security Firm, FireEye

Iranian commitment to using cyber operations to collect information in support of IRGC intelligence priorities.

 by Navid  Felker

FireEye’s Mandiant Compromise Assessment service allows organizations to evaluate their environments for the presence of targeted attacker activity. The Compromise Assessment has helped many organizations identify or confirm security breaches that had existed for years and resulted in theft of valuable intellectual property, personally identifiable information, payment card information, or other sensitive information. According to analysis from FireEye, APT33, a hacking group, is believed to be working for the Iranian government.

Mandiant’s incident response consultants found that APT33 targeted organizations in a number of industries headquartered in the US, Saudi Arabia, and South Korea.

Since at least 2013, APT33 has carried out cyber espionage operations, and allegedly, the group has shown “particular interest in organizations involved in the aviation sector, in both the military and commercial capacities, as well as organizations in the energy sector with ties to petrochemical production.”

While FireEye did not name specific companies, it said that APT33 compromised a US-based aviation firm, and a business conglomerate located in Saudi Arabia that has aviation holdings.

APT33 is believed to have also targeted a Saudi Arabian organization, as well as a South Korean business conglomerate, by using malware that lured victims with job vacancies for a Saudi Arabian petrochemical company. FireEye said that phishing e-mails were sent to employees whose jobs are related to the aviation industry, asking them to click on links.

Fortunately, FireEye noticed mistakes by the APT33 operators, as default values were left in the shell’s phishing module. After sending emails with the default values, the group sent new emails, with the default values removed, just minutes later, to the same recipients.

APT33 may also have registered multiple domains that related to the targeted companies, which could also have been used in the phishing attacks.

FireEye said APT33’s targeting of companies with links in aviation and energy aligns with nation-state interests, which suggests that the hackers are government sponsored. The group may have targeted these organizations to assist Iran with expanding its petrochemical production, and to improve its competitiveness in the region, FireEye suggested.

The Director of Intelligence Analysis at FireEye, John Hultquist, said, “Iran has repeatedly demonstrated a willingness to globally leverage its cyber espionage capabilities,” He added, “Its aggressive use of this tool, combined with shifting geopolitics, underscores the danger that APT33 poses to governments and commercial interests in the Middle East and throughout the world. Identifying this group and its destructive capability presents an opportunity for organizations to detect and deal with related threats proactively.”