In its recent report, Microsoft has revealed that the infamous APT33 also known as Holmium or Magnallium cybercriminal group has stolen data from about 200 companies in the past two years. These Iranian hackers penetrated into systems, businesses, and governments and have causes hundreds of millions of dollars in damages. The Holmium threat actor group has been active since at least 2013.
Primary targets - The Holmium threat actor group has targeted organizations spanning across different sectors. They targeted firms specifically located in the US, Saudi Arabia, and South Korea. Lately, the group has shifted its focus on the aviation firms that are involved in both military and commercial capacities. It is also targeting those organizations that are tied to petrochemical production.
How do they operate - The APT33 primarily relies on spear-phishing emails to conduct a majority of its attacks. These emails include URLs that are linked to some specific files (such as .hta). Once the user clicks on the URL, it downloads the malware, thus initiating the infection process.
The cybercriminal group also uses a range of malware in its different attack campaigns. This includes SHAPESHIFT, DROPSHOT, TURNEDUP, NANOCORE, NETWIRE, and ALFA Shell. The group also leverages popular Iranian hacker tools and DNS servers for its attack campaigns.
The bottom line - Given the type of malware and attack techniques used, experts believed that the group is slowly expanding its operation to other countries.
“Its aggressive use of the tools, combined with shifting geopolitics, underscores the danger that APT33 poses to governments and commercial interests in the Middle East and throughout the world. Identifying this group and its destructive capability presents an opportunity for organizations to detect and deal with related threats proactively," FireEye explained.