Skip to main content

APT33 exposed


Security researchers have recently uncovered a cyber espionage group targeting aerospace, defence and energy organisations in the United States, Saudi Arabia and South Korea.

According to the latest research published Wednesday by US security firm FireEye, an Iranian hacking group that it calls Advanced Persistent Threat 33 (or APT33) has been targeting critical infrastructure, energy and military sectors since at least 2013 as part of a massive cyber-espionage operation to gather intelligence and steal trade secrets.

The security firm also says it has evidence that APT33 works on behalf of Iran's government.

FireEye researchers have spotted cyber attacks aimed by APT33 since at least May 2016 and found that the group has successfully targeted aviation sector—both military and commercial—as well as organisations in the energy sector with a link to petrochemical.

The APT33 victims include a U.S. firm in the aerospace sector, a Saudi Arabian business conglomerate with aviation holdings, and a South Korean company involved in oil refining and petrochemicals.

Most recently, in May 2017, APT33 targeted employees of a Saudi organisation and a South Korean business conglomerate using a malicious file that attempted to entice them with job vacancies for a Saudi Arabian petrochemical company.

"We believe the targeting of the Saudi organisation may have been an attempt to gain insight into regional rivals, while the targeting of South Korean companies may be due to South Korea’s recent partnerships with Iran’s petrochemical industry as well as South Korea’s relationships with Saudi petrochemical companies," the FireEye report reads.

APT33 targets organisations by sending spear phishing emails with malicious HTML links to infect targets' computers with malware. The malware used by the espionage group includes DROPSHOT (dropper), SHAPESHIFT (wiper) and TURNEDUP (custom backdoor, which is the final payload).


The SHAPESHIFT malware can wipe disks, erase volumes and delete files, depending on its configuration.

According to FireEye, APT 33 sent hundreds of spear phishing emails last year from several domains, which masqueraded as Saudi aviation companies and international organisations, including Boeing, Alsalam Aircraft Company and Northrop Grumman Aviation Arabia.

The security firm also believes APT 33 is linked to Nasr Institute, an Iranian government organisation that conducts cyber warfare operations.

Comments

Post a Comment

Popular posts from this blog

‘Infraud’ Cybercrime Forum is Busted, 13 hackers arrested & 36 charged

The U.S. Justice Department announced charges on Wednesday against three dozen individuals thought to be key members of ‘ Infraud ,” a long-running cybercrime forum that federal prosecutors say cost consumers more than a half billion dollars. In conjunction with the forum takedown, 13 alleged Infraud members from the United States and six other countries were arrested. Started in October 2010, Infraud was short for “In Fraud We Trust,” and collectively the forum referred to itself as the “Ministry of Fraudulently [sic] Affairs.” As a mostly English-language fraud forum, Infraud attracted nearly 11,000 members from around the globe who sold, traded and bought everything from stolen identities and credit card accounts to ATM skimmers, botnet hosting and malicious software. “Today’s indictment and arrests mark one of the largest cyberfraud enterprise prosecutions ever undertaken by the Department of Justice,” said John P. Cronan , acting assistant attorne
2 comments
Read more

Czech Republic announced it had extradited the Russian hacker Yevgeni Nikulin (29) to the United States

Yevgeni Nikulin (29) was requested by the US for alleged cyber attacks on social networks and by the Russian authorities that charged him with frauds. According to US authorities, the man targeted LinkedIn and Formspring and hacked into the file hosting service Dropbox. The Russian criminal was arrested in Prague in October 2016 in an international joint operation with the FBI. The case in the middle of an arm wrestling between Moscow and Washington, the US Government are accusing Russia to have interfered with 2016 Presidential election  through hacking . Source: US Defense Watch.com In May, a Czech court ruled that Nikulin can be extradited to either Russia or the United States, leaving the final decision to the Justice Minister Robert Pelikan. “It is true there have been two meetings this year where the president asked me not to extradite a Russian citizen to the United States but to Russia,” the website of the weekly newspaper Respekt quoted Pelikan as sayin
2 comments
Read more

NanoCore developper busted and senteced for 33 months

  A hacker who was arrested and pleaded guilty last year—not because he hacked someone, but for creating and selling a remote access trojan that helped cyber criminals—has finally been sentenced to serve almost three years in prison. Taylor Huddleston, 26, of Hot Springs, Arkansas, pleaded guilty in July 2017 to one charge of aiding and abetting computer intrusions by building and intentionally selling a remote access trojan (RAT), called NanoCore , to hackers for $25. Huddleston was arrested in March, almost two months before the FBI raided his house in Hot Springs, Arkansas and left with his computers after 90 minutes, only to return eight weeks later with handcuffs.   This case is a rare example of the US Department of Justice (DOJ) charging someone not for actively using malware to hack victims' computers, but for developing and selling it to other cybercriminals. Huddleston admitted to the court that he created his software knowing it would be used
1 comment
Read more