- APT33 could likely have links to the recent destructive SHAMOON attacks.
- APT33 has likely maintained custom tools like the PowerShell backdoor Powertron, apart from the publicly available tools.
The infamous Shamoon malware, which first appeared in 2012 and later popped up again in 2016 and 2017, targeted the Saudi oil giant Aramco, as well as other entities across the Middle East. The malware caused major damage to Aramco’s operations during the 2012 attack, infecting over 35,000 workstations. Although it did not have an equally destructive effect in the 2016 and 2017 attacks, it still shook the industrial community.
In a separate case last year, the energy and aerospace industries were hit with targeted spear phishing attacks. The threat actor responsible for it, dubbed APT33, is widely believed to be an Iranian state-sponsored cyberespionage group.
Both the above-mentioned series of attacks were believed to be the works of different threat actors. But, recent research by FireEye suggests otherwise. According to the blog post, FireEye identified overlaps in the malicious activities detected in both cases, which support the claim that both attacks are linked to a single threat actor - APT33.
“We subsequently concluded, with medium confidence, that two specific early-phase intrusions were the work of a single group. Advanced Practices then reconstructed an operational timeline based on confirmed APT33 activity observed in the last year,” FireEye researchers said. “We compared that to the timeline of the contained intrusions and determined there were circumstantial overlaps to include remarkable similarities in tool selection during specified timeframes. We assess with low confidence that the intrusions were conducted by APT33.”
Additionally, Fireye stated that public discussions about the recent SHAMOON attacks also indicate an attack infrastructure related to the one observed in the APT33 analysis.
Attackers stronger than before
According to FireEye’s analysis, APT33 has likely maintained custom tools like the PowerShell backdoor Powerton, apart from the publicly available tools. Since no tool with a similar code base exists, Powerton is believed to be a custom-built backdoor. This indicates the group’s extensive malware developing capabilities.
“POWERTON is designed to support multiple persistence mechanisms, including WMI and auto-run registry key. Communications with the C2 are over TCP/HTTP(S) and leverage AES encryption for communication traffic to and from the C2. POWERTON typically gets deployed as a later stage backdoor and is obfuscated several layers,” FireEye researchers said.
Moreover, at least two separate Powerton variants tracked as POWERTON.v1 and POWERTON.v2, have been spotted by researchers. The second variant has an improved command and control (C2) functionality and an ability to dump password hashes, according to the researchers.
Attacks likely to escalate in the future
In their blog post, FireEye researchers warned about the increase in email-based phishing attacks in recent years. Mandiant researchers also recently discovered new methods for subverting multifactor authentication.
The researchers also pointed out various scenarios in which an organization’s security could get compromised:
- Third-party breaches where the organization’s employees have re-used credentials.
- Previous compromise within the organization, where credentials were compromised but not identified or reset.
- Poor password choices or password security policies resulting in brute-forced credentials.
- Gathering of crackable password hashes from various other sources, such as NTLM hashes gathered via documents intended to phish them from users.
- Credential harvesting phishing scams, where harvested credentials may be sold, reused or documented permanently elsewhere on the internet.
Given the constantly evolving attack capabilities of the APT33 threat actors, organizations across the globe, need to employ more effective security practices to bolster their cyber defenses.