A cyber espionage group linked by security researchers to the Iranian government has been observed targeting aerospace and energy organizations in the United States, Saudi Arabia and South Korea.
The threat actor, tracked by FireEye as APT33, is believed to have been around since at least 2013. Since mid-2016, the security firm has spotted attacks aimed by this group at the aviation sector, including military and commercial aviation, and energy companies with connections to petrochemical production.
Specifically, the cyberspies targeted a U.S. organization in the aerospace sector, a Saudi Arabian business conglomerate with aviation holdings, and a South Korean firm involved in oil refining and petrochemicals. In recent attacks, the hackers used job vacancies at a Saudi Arabian petrochemical firm to target the employees of organizations in South Korea and Saudi Arabia.
“We assess the targeting of multiple companies with aviation-related partnerships to Saudi Arabia indicates that APT33 may possibly be looking to gain insights on Saudi Arabia’s military aviation capabilities to enhance Iran’s domestic aviation capabilities or to support Iran’s military and strategic decision making vis a vis Saudi Arabia,” FireEye said in a blog post.
“We believe the targeting of the Saudi organization may have been an attempt to gain insight into regional rivals, while the targeting of South Korean companies may be due to South Korea’s recent partnerships with Iran’s petrochemical industry as well as South Korea’s relationships with Saudi petrochemical companies,” the company added.
According to FireEye, the cyber espionage group sent hundreds of spear phishing emails last year. They set up several domains made to look as if they belonged to Saudi aviation firms and international organizations that work with them, including Alsalam Aircraft Company, Boeing and Northrop Grumman Aviation Arabia.
The malware used by the group includes a dropper tracked by FireEye as DROPSHOT, a wiper named SHAPESHIFT, and a backdoor called TURNEDUP. DROPSHOT was previously analyzed by Kaspersky, which tracks it as StoneDrill.
The StoneDrill malware was tied by Kaspersky to the notorious Shamoon 2 and Charming Kitten (aka Newscaster and NewsBeef), a threat actor believed to be operating out of Iran.
FireEye has also linked APT33 to Iran based on connections to the “Nasr Institute,” which is said to be Iran’s “cyber army”, attacks launched during Iranian working hours, and the use of Iranian hacking tools.