FireEye Reveals Operations, Techniques of Iranian Hacking Group Named APT33

PHOTO

Group has targeted the energy and aviation sectors

FireEye, Inc. (NASDAQ: FEYE), the intelligence-led security company, today announced details of an Iranian hacking group with potential destructive capabilities which FireEye has named APT33.

FireEye analysis reveals that APT33 has carried out cyber espionage operations since at least 2013 and is likely to work for the Iranian government. This information comes from recent investigations by FireEye^® Mandiant^® incident response consultants combined with FireEye iSIGHT^® Threat Intelligence analysis which uncovered information on APT33’s operations, capabilities, and potential motivations.

Targeting

APT33 has targeted organizations – spanning multiple industries – headquartered in the United States, Saudi Arabia and South Korea. The group has shown particular interest in organizations in the aviation sector involved in both military and commercial capacities, as well as organizations in the energy sector with ties to petrochemical production.

From mid-2016 through early 2017, APT33 compromised a U.S. organization in the aviation sector and targeted a business conglomerate located in Saudi Arabia with aviation holdings. During the same time period, the group also targeted a South Korean company involved in oil refining and petrochemicals. In May 2017, APT33 appeared to target a Saudi Arabian organization and a South Korean business conglomerate using a malicious file that attempted to entice victims with job vacancies for a Saudi Arabian petrochemical company.

FireEye analysts believe the targeting of the Saudi Arabian organization may have been an attempt to gain insight into regional rivals, while the targeting of South Korean companies could be due to South Korea’s partnerships with Iran’s petrochemical industry as well as South Korea’s relationships with Saudi Arabian petrochemical companies. APT33 may have targeted these organizations as a result of Iran’s desire to expand its own petrochemical production and improve its competitiveness within the region.

Spear Phishing

The group sent spear phishing emails to employees whose jobs related to the aviation industry. These emails included recruitment themed lures and contained links to malicious HTML application files. The files contained job descriptions and links to legitimate job postings on popular employment websites that would be relevant to the targeted individuals.

In a few cases, APT33 operators left in the default values of the shell’s phishing module. These appear to be mistakes, as minutes after sending the emails with the default values, the group sent emails to the same recipients with the default values removed.

Domain Masquerading

APT33 registered multiple domains that masquerade as Saudi Arabian aviation companies and Western organizations that have partnerships to provide training, maintenance and support for Saudi Arabia’s military and commercial fleet. Based on observed targeting patterns, APT33 likely used these domains in spear phishing emails to target victim organizations.

Additional Ties Bolster Attribution to Iran

APT33’s targeting of organizations involved in aviation and energy most closely aligns with nation-state interests, implying that the threat actor is most likely government sponsored. This coupled with the timing of operations – which coincides with Iranian working hours – and the use of multiple Iranian hacker tools and name servers bolsters the FireEye assessment that APT33 is likely to have operated on behalf of the Iranian government.

John Hultquist, Director of Intelligence Analysis at FireEye said, “Iran has repeatedly demonstrated a willingness to globally leverage its cyber espionage capabilities. Its aggressive use of this tool, combined with shifting geopolitics, underscore the danger that APT33 poses to governments and commercial interests in the Middle East and throughout the world. Identifying this group and its destructive capability presents an opportunity for organizations to detect and deal with related threats proactively.”

Learn more about APT33 from an upcoming FireEye webinar. Sign up here: https://www.brighttalk.com/webcast/10703/275683?utm_source=FireEye_blog

-Ends-

About FireEye, Inc.
FireEye is the intelligence-led security company. Working as a seamless, scalable extension of customer security operations, FireEye offers a single platform that blends innovative security technologies, nation-state grade threat intelligence, and world-renowned Mandiant^® consulting. With this approach, FireEye eliminates the complexity and burden of cyber security for organizations struggling to prepare for, prevent, and respond to cyber-attacks. FireEye has over 6,000 customers across 67 countries, including more than 40 percent of the Forbes Global 2000.

© 2017 FireEye, Inc. All rights reserved. FireEye, Mandiant and iSIGHT are registered trademarks or trademarks of FireEye, Inc. in the United States and other countries. All other brands, products, or service names are or may be trademarks or service marks of their respective owners.

Media Contact:
Peter Beck
FireEye, Inc.
+44 7887 480510
media.relations@FireEye.com

Investor Relations contact:
Kate Patterson
(408) 321-4957
kate.patterson@FireEye.com

FireEye Reveals Operations, Techniques of Iranian Hacking Group Named APT33

DISCOVER MORE

Nearly Eight out of 10 Emirati consumers prefer gift cards over a traditional gift: YouGov-YOUGotaGift survey

Marriott International signs agreement with NEOM to bring the Ritz-Carlton reserve to Trojena, the mountains of NEOM

SRTI Park sheds light on use of AI in Balancing Decarbonization and Profitability

Department of Finance announces successful Abu Dhabi Issuance of USD 5bln Treasury Bonds

BALADNA signed an agreement with the Algerian Ministry of Agriculture and Rural Development

Dubai Restaurant Week begins tomorrow

Al Hamra launches premium waterfront project in its flagship Al Hamra Village community

Honoring the winners of the innovation competition at the Abu Dhabi Judicial Department

Victor moves headquarters to Abu Dhabi

Bitget Wallet’s COO explained web3 security strategies at Dubai conference

Albal Design launches UAE's first science based interior design concept

Binghatti launches its debut project adjacent to Dubai Hills

Dar Global announces partnership with Aston Martin to deliver stunning beachfront residences in Ras Al Khaimah, United Arab Emirates

UK bank Barclays logs falling quarterly profit

Nestle India unit's profit beats estimates on higher demand

Iraq expects $450bln projects

South Korea presidential office sees 2024 growth to surpass projected 2.2%

Japan's Nikkei falls 2% after 3-day rally; tech stocks lead decline

LATEST VIDEO

VIDEO: Expect more extreme weather threats like UAE floods worldwide – Climate expert

ZAWYA COVERAGE

Sustainable projects to drive up capex of GCC oil companies by up to $25bn per year

Saudi PIF-backed RVCMC selects Xpansiv to launch carbon credit exchange

Qatar firm Baladna signs $3.5bln deal with Algeria to develop ‘world’s largest’ dairy farm project

Emirates Islamic Bank posts 35% jump in Q1 2024 net profit

UK bank Barclays logs falling quarterly profit

Nestle India unit's profit beats estimates on higher demand

South Korea presidential office sees 2024 growth to surpass projected 2.2%

Japan's Nikkei falls 2% after 3-day rally; tech stocks lead decline

Mercedes says it will continue to invest in China tie-ups

THE BRI REPORT

China’s flagship global infrastructure initiative is changing in the face of potent headwinds