Security researchers have exposed an Iranian cyber espionage group, Advanced Persistent Threat 33 (APT33), linked to destructive malware attacks. Active for over ten years, APT33 targets aerospace, defense, and energy sectors in the US, Saudi Arabia, and South Korea to gather intelligence and steal trade secrets. According to a recent FireEye report, APT33 is believed to operate under the direction of the Iranian government, with a specific focus on the military and commercial aviation industries and petrochemical organizations.
APT33’s victims include a US aerospace firm, a Saudi conglomerate with aviation interests, and a South Korean petrochemical company. In May 2017, the group attempted to infiltrate employees of a Saudi organization and a South Korean conglomerate using spear phishing emails pretending to be job vacancies from a Saudi petrochemical company. FireEye suggests the attacks aimed to obtain regional intelligence and exploit South Korea’s petrochemical connections with Iran and Saudi Arabia.
APT33 employs malware like DROPSHOT, SHAPESHIFT, and TURNEDUP, using malicious links to compromise computers. DROPSHOT, a dropper, installs TURNEDUP backdoor malware, and frequently drops SHAPESHIFT, designed to wipe disks and delete files. Phishing emails sent from domains mimicking well-known aviation and international organizations demonstrate their advanced masquerading tactics.
APT33 is connected to the Nasr Institute, an Iranian agency for cyber operations. Their activities resemble those of another group, Rocket Kittens, though no direct links are confirmed. The revelation of APT33’s aggressive cyber tactics underscores Iran’s commitment to enhancing its cyber-attack capabilities against key global industries, highlighting the urgent necessity for heightened cybersecurity measures and constant vigilance across critical sectors.
