A close look at the infamous APT33 threat actor group which has hit over 200 companies in just two years

• The Holmium threat actor group has been active since at least 2013.
• They target firms specifically located in the US, Saudi Arabia, and South Korea.

In its recent report, Microsoft has revealed that the infamous APT33 also known as Holmium or Magnallium cybercriminal group has stolen data from about 200 companies in the past two years. These Iranian hackers penetrated into systems, businesses, and governments and have causes hundreds of millions of dollars in damages. The Holmium threat actor group has been active since at least 2013.

Primary targets - The Holmium threat actor group has targeted organizations spanning across different sectors. They targeted firms specifically located in the US, Saudi Arabia, and South Korea. Lately, the group has shifted its focus on the aviation firms that are involved in both military and commercial capacities. It is also targeting those organizations that are tied to petrochemical production.

How do they operate - The APT33 primarily relies on spear-phishing emails to conduct a majority of its attacks. These emails include URLs that are linked to some specific files (such as .hta). Once the user clicks on the URL, it downloads the malware, thus initiating the infection process.

The cybercriminal group also uses a range of malware in its different attack campaigns. This includes SHAPESHIFT, DROPSHOT, TURNEDUP, NANOCORE, NETWIRE, and ALFA Shell. The group also leverages popular Iranian hacker tools and DNS servers for its attack campaigns.

Known attacks

• From mid-2016 to early 2017, the Magnallium threat actor group compromised a US firm in the aerospace sector and targeted a business group located in Saudi Arabia.
• During the same time, it also targeted a South Korean company doing business in oil refining and petrochemicals.
• In May 2017, it targeted a Saudi organization and a South Korean business by using a fake job phishing campaign. The hackers enticed victims with job vacancies for a Saudi Arabian petrochemical company.
• In one incident, APT33 used domain squatting technique to target various organizations in Saudi Arabia. It registered multiple domains that masquerade as Saudi Arabian aviation companies and Western organizations and tricked victims to provided training, maintenance and support for Saudi’s military and commercial fleet. The following domains masquerade as these organizations: Boeing, Alsalam Aircraft Company, Northrop Grumman Aviation Arabia (NGAAKSA), and Vinnell Arabia, noted FireEye.
• The group was also responsible for the attacks involving Shamoon data-wiper malware last year. The malware was used to target industrial players in the Middle East and Europe.

The bottom line - Given the type of malware and attack techniques used, experts believed that the group is slowly expanding its operation to other countries.

“Its aggressive use of the tools, combined with shifting geopolitics, underscores the danger that APT33 poses to governments and commercial interests in the Middle East and throughout the world. Identifying this group and its destructive capability presents an opportunity for organizations to detect and deal with related threats proactively," FireEye explained.