Threat Actor Profile
Origin: Iran, 2013
Key Target Sectors: Manufacturing, Energy and Power, Aerospace, Defense, Petrochemical
Attack Vectors: Spear Phishing, Backdoor, Domain Masquerading
Target Region: Western Asia, North America, Eastern Asia, Middle East
Malware Used: Dropshot, Nanocore, Netwire, Turnedup, Dorkbot, Empire, Poshc2, Mimikatz Tool, Aut2exe, Stonedril, PupyRAT, PowerSploit, Carberp, Shamoon 3, Powerton
Motive: Cyber Espionage, Data Theft
APT33 is a lesser known, but powerful cyber-espionage group, known to be working at the behest of the Iranian government. The group, carrying out cyber attacks since 2013, has targeted multiple businesses across several countries, but it gained attention when it was linked with a new wave of Shamoon attacks in Dec 2018.
Which organizations have they targeted?
Also known as Holmium and Magnallium, the APT33 group has targeted organizations across multiple businesses located in the United States, South Korea, and Saudi Arabia. The group has shown good interest in a wide range of targets, including government, manufacturing, research, engineering, chemical, finance, telecommunications. Towards the end of-2016 till mid-2017, the group focused on the aviation industry (both military and commercial), along with organizations in the energy sector. Their notable targets included a US-based aerospace organization, a Saudi Arabia-based business conglomerate with aviation holdings, and a South Korean company involved in petrochemicals and oil refining. In Dec 2018, APT33 was found connected to the wave of Shamoon 3 attacks, that were largely aimed at Middle Eastern assets of Italian oil and gas services company ‘Saipem’, along with few other organizations in the United Arab Emirates and Saudi Arabia. There were several similarities (like the use of similar anti-emulation techniques) in Shamoon 3 and DROPSHOT (dropper malware used by APT33), suggesting the involvement of APT33 in the Shamoon 3 wave. But at the same time, there were several differences in TTPs (like the use of different languages, and use of custom and publicly available tools by APT33, which were missing in Shamoon specific targets), suggesting a possibility of involvement of any other Iranian group with a shared infrastructure or evolution in the TTPs deployed by the group.
What is their motivation behind the attacks?
The APT group’s interest in aviation sector may indicate the group’s desire to gain intel on the regional military aviation abilities to enhance Iran’s aviation abilities or to support Iran’s strategic and military-related decision making. The South Korean organizations were targeted probably due to South Korea’s relationships with Saudi petrochemical organizations. Targeting of various holding companies and organizations in the energy sectors aligns with Iranian national interests for growth, particularly as it relates to increasing petrochemical production.
The prime attack vector used by APT33 is spear-phishing emails, in which they often leverage common and localized event or activities to lure their targets. In Sept 2017, APT33 leveraged spear-phishing emails to target employees working in the aviation industry, which included lures with recruitment related themes and contained links to malicious HTML application (.hta) files. APT33 is also known for using known exploits to penetrate organization networks. For the recent attacks in Dec 2018, they leveraged a publicly available exploit (CVE-2017-0213) to perform privilege escalation attack. The group also leveraged CVE-2017-11774 to download and execute OS-based version of the publicly available .NET Poshc2 backdoor with a newly identified PowerShell-based implant self-named Powerton. In Feb 2019 attacks, they were observed using the known vulnerability (CVE-2018-20250) in WinRAR.
Known tools and malware
APT33 often uses custom-built malware (mostly backdoors), suggesting access to skilled development resources. Their custom tools include a dropper program called DropShot, which can deploy a wiper called ShapeShift, or install a backdoor called TurnedUp. They also use publicly available tools (like Mimikatz, Alfashell and Windows SysInternals PROCDUMP to carry out espionage operations. They have registered multiple domains, portraying many commercial entities, including Alsalam Aircraft Company, Boeing, Vinnell and Northrop Grumman.
Some of the custom tools used by APT33 include:
- Dropshot - The Dropshot dropper is usually observed to be dropping and launching the Turnedup backdoor, as well as the Shapeshift wiper malware.
- Nanocore - Nanocore is a publicly available Remote Access Trojan (RAT) available for purchase online. It can operate as a featured backdoor, with support for additional plugins.
- Netwire- Netwire is a backdoor that tries to steal credentials from the local machine. It also supports general backdoor features.
- Turnedup - Turnedup is a backdoor with a feature of uploading and downloading files, taking screenshots, creating a reverse shell, and gathering system information.
Several of APT33’s espionage operations align with the nation-state interests of the Iranian government. Use of Iranian hacker tools and name servers clubbed together with the operation timing (that matches with Iranian working hours), provides strong hints for the group having a connection with the Iranian government. One hacker, using the moniker ‘xman_1365_x’, was found connected to both the TurnedUp tool code and the Iranian Nasr Institute, which has been further linked to the Iranian Cyber Army. The ‘xman_1365_x’ has accounts on Iranian hacker forums, including Ashiyane and Shabgard.
To proactively prepare against threats like APT33, organizations must adopt advanced threat intelligence platforms and behavior-based anti-malware detection solutions for capturing and neutralizing evolving IOCs and TTPs in real-time. Organizations must promote sharing of Strategic and Tactical Threat Intelligence with their trusted partners, ISACs and regulatory bodies to inculcate learnings and develop shared strategies for combating such threats. Deploying a threat intel-driven approach enables the exchange of the Indicators of Compromise (IOCs) like domain names, IP addresses, file hashes, YARA, and Snort signatures to ensure that the organization is protected against such threats. Furthermore, adding all the malicious IPs and Domains to the watchlist to find out if any malicious activity is happening within an organization creates an added layer of defensive mechanism that can help trounce the malicious actor hiding in the vicinity of organization’s networks. A regular review of the data flowing through the network perimeter can help detect malicious activities of Shamoon like malware deployed by threat actors like APT33.
Indicators of Compromise
A67461a0c14fc1528ad83b9bd874f53b7616cfed99656442fb4d9cdd7d09e449 (AutoIt backdoor)
A23c182349f17398076360b2cb72e81e5e23589351d3a6af59a27e1d552e1ec0 (Quasar RAT)
0b3610524ff6f67c59281dbf4a24a6e8753b965c15742c8a98c11ad9171e783d (Quasar RAT)
D5262f1bc42d7d5d0ebedadd8ab90a88d562c7a90ff9b0aed1b3992ec073e2b0 (Quasar RAT)
C7a2559f0e134cafbfc27781acc51217127a7739c67c40135be44f23b3f9d77b (AutoIt FTP tool)
99c1228d15e9a7693d67c4cb173eaec61bdb3e3efdd41ee38b941e733c7104f8 (.NET FTP tool)
94526e2d1aca581121bd79a699a3bf5e4d91a4f285c8ef5ab2ab6e9e44783997 (PowerShell downloader)
Dedfbc8acf1c7b49fb30af35eda5e23d3f7a202585a5efe82ea7c2a785a95f40 (POSHC2 backdoor)