Threat actor group APT33, which is widely believed to be working in the service of the Iranian government, is stepping up its cyberespionage activities against Saudi Arabian organisations, according to researchers at cybersecurity firm Recorded Future.

The group’s modus operandi is to send spear-phishing emails to its targets. Victims that click on a malicious link unwittingly launch a dropper program, either deploying a wiper that deletes an infected devices files, or installing a backdoor for further attacks.

Insikt Group, Recorded Future’s research arm, analysed domains associated with APT33 and concluded with “medium confidence” that the group – or one closely aligned to it – has targeted a range of largely Saudi organisations since late March this year.

These include a Saudi Arabian headquartered conglomerate, two Saudi healthcare organisations, a Saudi firm in the metals industry, a mass media company in India and a delegation from a diplomatic institution.

These cyberattacks follow research conducted by cybersecurity firm Symantec in late March 2019, which found that APT33 has been targeting a range of US organisations.

Relations between the US and Iran have been strained since US President Trump re-imposed sanctions on Iran in 2018. Tensions escalated this month after US oil tankers were attacked in the Strait of Hormuz, the shooting down of a US drone by Iran and a retaliatory cyberattack against Iran by the US.

“The conflict is being mirrored in the cyber domain as well,” Levi Gundert, vice president of intelligence and risk at Recorded Future, told Verdict. “The US has demonstrated a history of offensive cyber operations in Iran and there’s no reason to believe that those operations have ended.

“Similarly, we’ve observed APT33 managing a large internet infrastructure and introducing new targets. We can only speculate on motives, but historically Iran’s cyber operations reflect a response to perceived provocation, which these newest US sanctions certainly represent.”

APT33, the IRGC and MOIS

Notably, Recorded Future discovered that APT33 has parked domains in the wake of media coverage of the Symantec report, suggesting the group is aware it is being investigated.

However, APT33 continues to control large swathes of domains that have minimum security ratings, therefore indicating the domain is safe.

Since 28 March 2019, Recorded Future detected over 1,200 of these domains under the threat actor’s control. Of these, 728 were identified as communicating with infected hosts – an alarming 60% of successful compromises.

APT33, also known as Elfin, has typically used so-called ‘commodity malware’ – malware that is widely available as opposed to customised – in order to hide among other attackers.

3 Things That Will Change the World Today

Recorded Future observed the suspected APT33 domains using malware families related to njRAT – a form of malware not previously associated with the threat actor group.

APT33 was first identified in 2013 by cybersecurity firm Fire Eye. It has previously targeted commercial entities in the aerospace, defence and oil and gas industries. These have largely been directed against Middle East countries, including Saudi Arabia, but has also included the US, Europe and South Korea.

Citing a “sensitive Insikt Group source” Recorded Future says that Iranian government-controlled bodies, Islamic Revolutionary Guard Corps (IRGC) and Ministry of Intelligence and Security (MOIS), assigned tasks such as “vulnerability research, exploit development, reconnaissance, and the conducting of network intrusions or attacks” to over 50 contracted organisations, suspected to be part of APT33’s operations. In doing so, the IRGC and/or MOIS were able to compartmentalise their efforts and “mitigated the risk from rogue hackers”.

Laying the groundwork for future operations

These findings further corroborate separate research by cybersecurity firms Crowdstrike, Dragos and FireEye that APT33 is conducting a campaign of cyberespionage at the behest of the Iranian government.

The report also notes that APT33’s activities could indicate be “laying the groundwork for future cyberespionage operations”.

“This is purely my opinion, but Iran may be waiting to launch destructive attacks because they still see Europe as a potential ally, and they wish to maintain a victim persona,” said Gundert. “Although Europe’s attempt to blunt the impact of US sanctions has largely been a failure.

“Iran may also be unsure of how the Trump administration will respond if they launch a significant cyber attack. That may leave Iranian contractors with a mandate to prepare infrastructure and gather intelligence for Iranian government decision makers.”

Recorded Future advises organisations to configure their network defence mechanisms to place an alert on suspected domains, a list of which can be found in the appendix or Recorded Future’s report.


Read more: The Iran cyberattack is an “early sign” of 21st-century warfare