top of page
Mitre
Alias
Magnallium, Refined Kitten, Peach Sandstorm, G0064, Elfin, Holmium, Apt 33, Ta451, Cobalt Trinity, Atk35, Atk 35, Apt33
Country
Iran
Sponsor
Iran (islamic Republic Of). State-sponsored, State-sponsored
Motivation
Information Theft And Espionage, Sabotage And Destruction
First Seen
2013
Description
(FireEye) When discussing suspected Middle Eastern hacker groups with destructive capabilities, many automatically think of the suspected Iranian group that previously used SHAMOON � aka Disttrack � to target organizations in the Persian Gulf. However, over the past few years, we have been tracking a separate, less widely known suspected Iranian group with potential destructive capabilities, whom we call APT33. Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013. We assess APT33 works at the behest of the Iranian government.
APT33 has targeted organizations � spanning multiple industries � headquartered in the United States, Saudi Arabia and South Korea. APT33 has shown particular interest in organizations in the aviation sector involved in both military and commercial capacities, as well as organizations in the energy sector with ties to petrochemical production.
APT 33 seems to be closely related to {{OilRig, APT 34, Helix Kitten, Chrysene}} since at least 2017.
Targeted
Industries
Government, Petrochemical, Defense, Energy, Financial, High-tech, Education, Manufacturing, Media, Others, Healthcare, Aviation, Private Sector
Targeted
Countries
Usa, Iran, Saudi Arabia, Uk, United States, Iraq, South Korea, Israel
Tools
Disttrack
Mimikatz
Darkcomet
Living
Nanocore
Autoit Backdoor
Powerband
Nanocore Rat
Shapeshift
Ruler
Autoit
Empireproject
Poshc2
Turnedup
Remcosrat
Quasarrat
Living Off The Land
Stonedrill
Netwire
Powerton
Lazagne
Juicypotato
Powersploit
Netwire Rc
Filerase
Pslist
Pupyrat
TTP
T1068
T1003
T1204.002
T1048.003
T1555.003
T1546.003
T1552.006
T1573
T1003.005
T1003.004
T1552.001
T1571
T1053
T1059.001
T1003.001
T1552
T1203
T1048
T1204
T1560
T1555
T1566
T1132.001
T1546
T1071
T1027
T1588
T1105
T1566.001
T1204.001
T1071.001
T1110
T1059.005
T1059
T1078
T1547
T1547.001
T1078.004
T1132
T1588.002
T1053.005
T1040
T1566.002
T1573.001
T1560.001
T1110.003
Operations
Performed
[2019-03] attacks On Multiple Organizations In Saudi Arabia And U.s. (the Elfin Espionage Group (aka Apt33) Has Remained Highly Active Over The Past Three Years, Attacking At Least 50 Organizations In Saudi Arabia, The United States, And A Range Of Other Countries. (https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage)
[2019-07] us Cyber Command Has Issued An Alert Via Twitter Today About Threat Actors Abusing An Outlook Vulnerability To Plant Malware On Government Networks. (the Vulnerability Is Cve-2017-11774, A Security Bug That Microsoft Patched In Outlook In The October 2017 Patch Tuesday. (https://www.zdnet.com/article/us-cyber-command-issues-alert-about-hackers-exploiting-outlook-vulnerability/)
[2019-11] more Than A Dozen Obfuscated Apt33 Botnets Used For Extreme Narrow Targeting (https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/
Counter
Operations
Nil
Information
bottom of page