A recent investigation by cybersecurity vendor FireEye revealed that a sophisticated cyber espionage campaign was launched by an Iranian Advanced Persistent Threat group against the United States, Saudi Arabia, and South Korean organizations in aerospace and energy sectors. The campaign may have been run to gather information on aviation and petrochemical industries to improve Iran’s capabilities in these sectors.
The FireEye researchers said that the APT33 used a technique called spearphishing for the cyber espionage campaigns. The attackers used emails similar to the legitimate recruitment offers from valid employment websites and linking them to the malicious HTML application files. These spurious mails included a faked Equal Opportunity Employer disclosures from multiple websites posing as the domains of Boeing, Alsalam Aircraft Company, and Northrop Grumman Aviation Arabia. When opened, the documents were capable of dropping an APT33 custom backdoor on the attacked computer. The droppers used by the APT33 group include DROPSHOT and has links to a destructive data erasing tool SHAPESHIFT, used against Saudi Arabian targets. FireEye said that the SHAPESHIFT was not used for any attacks. However, DROPSHOT is known to be used only by the APT33.
The FireEye security analyst Jacqueline O’Leary told Dark Reading that at least six organizations, including a US aerospace company, a Saudi Arabian business group with interests in the aviation sector, and a South Korean company involved in petrochemicals and oil were targeted between May 2016 and August 2017. However, more organizations could have been targeted as well.
According to FireEye, the code found in one malware sample pointed out that it could be developed and launched by an individual who was working for the Iranian government previously. Other indicators to link Iran’s involvement in the campaigns include the use of artifacts written in Farsi, the country’s official language. The publicly available tools and backdoors were also found on the Iranian threat actor websites. The intentions for carrying out the cyber espionage also aligns with the national interest with activities coinciding with Iran’s work timings.
Josiah Kimble, a security analyst with FireEye, commented, “APT33 shares some similarities with other nation-state groups in that they rely on publicly available tools with some use of custom malware development, potentially suggesting the threat actors are a part of a greater capability. Like most suspected state-sponsored actors, APT33’s targeting of organizations most closely aligns with nation-state interests.”
