FireEye reveals operations, techniques of Iranian hacking group named APT33

CERT-LatestNews ThreatsEconomic ThreatsStrategic Uncategorized

FireEye reveals operations, techniques of Iranian hacking group named APT33FireEye, Inc. today announced details of an Iranian hacking group with potential destructive capabilities which FireEye has named APT33.

FireEye analysis reveals that APT33 has carried out cyber espionage operations since at least 2013 and is likely to work for the Iranian government.

This information comes from recent investigations by FireEye Mandiant incident response consultants combined with FireEye iSIGHT Threat Intelligence analysis which uncovered information on APT33’s operations, capabilities, and potential motivations.


APT33 has targeted organizations – spanning multiple industries – headquartered in the United States, Saudi Arabia and South Korea. The group has shown particular interest in organizations in the aviation sector involved in both military and commercial capacities, as well as organizations in the energy sector with ties to petrochemical production.

From mid-2016 through early 2017, APT33 compromised a U.S. organization in the aviation sector and targeted a business conglomerate located in Saudi Arabia with aviation holdings. During the same time period, the group also targeted a South Korean company involved in oil refining and petrochemicals. In May 2017, APT33 appeared to target a Saudi Arabian organization and a South Korean business conglomerate using a malicious file that attempted to entice victims with job vacancies for a Saudi Arabian petrochemical company.

FireEye analysts believe the targeting of the Saudi Arabian organization may have been an attempt to gain insight into regional rivals, while the targeting of South Korean companies could be due to South Korea’s partnerships with Iran’s petrochemical industry as well as South Korea’s relationships with Saudi Arabian petrochemical companies. APT33 may have targeted these organizations as a result of Iran’s desire to expand its own petrochemical production and improve its competitiveness within the region.

Spear Phishing

The group sent spear phishing emails to employees whose jobs related to the aviation industry. These emails included recruitment themed lures and contained links to malicious HTML application files. The files contained job descriptions and links to legitimate job postings on popular employment websites that would be relevant to the targeted individuals.

In a few cases, APT33 operators left in the default values of the shell’s phishing module. These appear to be mistakes, as minutes after sending the emails with the default values, the group sent emails to the same recipients with the default values removed.

Domain Masquerading

APT33 registered multiple domains that masquerade as Saudi Arabian aviation companies and Western organizations that have partnerships to provide training, maintenance and support for Saudi Arabia’s military and commercial fleet. Based on observed targeting patterns, APT33 likely used these domains in spear phishing emails to target victim organizations.