Hackers likely sponsored by the Iranian government recently compromised a U.S. aerospace organization, according to a new report from cybersecurity firm FireEye. The hackers, which FireEye dubs APT33, also targeted a selection of other energy and aviation bodies across Saudi Arabia and South Korea.
The attacks were espionage-driven and focused on stealing sensitive information, according to the report. But APT33 has links to a more destructive piece of malware that is designed to wipe computers, leading to concern that the group may turn to more aggressive tactics in the future.
“It’s the early warning for actors that tomorrow may become more aggressive and shift from a classic intelligence role to an attack role,” FireEye analyst John Holtquist told The Daily Beast.
ADVERTISEMENT
According to the report, APT33 sent hundreds of phishing emails to targets in 2016 using a publicly available tool called ALFASHELL. The emails themselves convincingly passed off as job-recruitment ads, referencing specific job opportunities and salaries, the report adds.
The hackers, however, included links to fake company websites, and registered a slew of domains designed to look like sites for companies including Boeing and Northrop Grumman Aviation Arabia. In its report, FireEye points out that several of these companies are involved in developing military and aviation products in Saudi Arabia.
These targets are in line with what a state-sponsored hacking group may be interested in pursuing.
“A lot of esoteric information that’s really only of value to a government,” Holtquist said. He declined to name the targeted U.S. organization or discuss how severe the breach was.
Iranian hackers have previously tried to identify computers that control infrastructure in the U.S., targeted a small dam in New York’s Westchester County, and launched distributed-denial-of-service (DDoS) attacks on U.S. banks designed to slow service to a crawl.
Included in a piece of non-public malware APT33 uses called TURNEDUP is the username “xman_1365_x.” xman has accounts on a selection of Iranian hacking forums, such as Shabgard and Ashiyane, although FireEye says it did not find any evidence to suggest xman was formally part of those site’s hacktivist groups. In its report, FireEye links xman to the “Nasr Institute,” a hacking group allegedly controlled by the Iranian government.
xman_1365_x did not respond to a request for comment from The Daily Beast.
According to the report, the timings of the hacking operations also line up with Iranian working hours, with the hackers being active during Iran’s Daylight Time and on days that corresponded to the country’s work week of Saturday to Wednesday.
APT33 also used tools and infrastructure the other suspected Iranian hacking groups have used, the report adds.
Some of those other groups have used more destructive malware to wipe a target’s computers. In December of last year, the Department of Defense warned U.S. contractors about Shamoon, an Iran-linked malicious program that wiped thousands of computers in Saudi Arabia. And although FireEye has not directly observed APT33 using a similar program, it appears to have the capability to do so—FireEye identified APT33-associated programs that load wiping malware onto targets.
“We assess there may be multiple Iran-based threat groups capable of carrying out destructive operations,” the report reads.
It’s not totally clear how APT33 relates to these other groups, but that is the nature of the Iranian hacking space: It’s messy.
“The group itself is fairly new and not well covered, but one of the idiosyncratic qualities of Iranian cyberoperations is how chaotic the ecosystem is. There’s several small groups using rudimentary tools, rather than a large-scale effort—there isn’t quite central group in their operations,” Collin Anderson, an Iran-focused security researcher, told The Daily Beast.
But, in the same way that Russian hackers have moved from pure espionage to more kinetic and destructive attacks, maybe more attention should be paid to their Iranian counterparts, as they continue to target U.S. bodies.
“It’s important to identify these threats when they are in their infancy; when they’re in their early stages of activity,” Holtquist said.
