FireEye unmasks Iranian hacking group targeting Saudi interests
Cyber security firm reveals operations and techniques of APT33 group that targeted energy and aviation sectors
A hacking group with possible ties to the Iranian government that targeted Saudi Arabia has been revealed by FireEye.
According to the cybersecurity vendor, the group, identified as APT33, has carried out cyber espionage operations since at least 2013 targeting Saudi petrochemical and aviation sectors.
This information comes from recent investigations by FireEye Mandiant incident response consultants combined with FireEye iSIGHT Threat Intelligence analysis which uncovered information on APT33’s operations, capabilities, and potential motivations.
From mid-2016 through early 2017, APT33 compromised a U.S. organisation in the aviation sector and targeted a business conglomerate located in Saudi Arabia with aviation holdings, FireEye said in a statement. During the same time period, the group also targeted a South Korean company involved in oil refining and petrochemicals. In May 2017, APT33 appeared to target a Saudi Arabian organisation and a South Korean business conglomerate using a malicious file that attempted to entice victims with job vacancies for a Saudi Arabian petrochemical company.
FireEye analysts believe the targeting of the Saudi Arabian organisation may have been an attempt to gain insight into regional rivals, while the targeting of South Korean companies could be due to South Korea’s partnerships with Iran’s petrochemical industry as well as South Korea’s relationships with Saudi Arabian petrochemical companies. APT33 may have targeted these organisations as a result of Iran’s desire to expand its own petrochemical production and improve its competitiveness within the region, FireEye believes.
The group sent spear phishing emails to employees whose jobs related to the aviation industry. These emails included recruitment themed lures and contained links to malicious HTML application files. The files contained job descriptions and links to legitimate job postings on popular employment websites that would be relevant to the targeted individuals.
APT33 also registered multiple domains that masquerade as Saudi Arabian aviation companies and Western organisations that have partnerships to provide training, maintenance and support for Saudi Arabia’s military and commercial fleet. Based on observed targeting patterns, APT33 likely used these domains in spear phishing emails to target victim organisations.
FireEye experts reckon APT33’s targeting of organisations involved in aviation and energy most closely aligns with nation-state interests, implying that the threat actor is most likely government sponsored. This coupled with the timing of operations – which coincides with Iranian working hours – and the use of multiple Iranian hacker tools and name servers bolsters the FireEye assessment that APT33 is likely to have operated on behalf of the Iranian government.