APT33: FireEye Report Details Iranian Espionage Activity

On Wednesday, FireEye published a report revealing a new Iranian advanced persistent threat (APT) group, dubbed APT33. According to FireEye's assessment, APT33 has been active since at least 2013, conducting cyber-espionage operations on behalf of the Iranian government. The group has targeted a range of organizations, including those with ties to military and commercial aviation, petrochemical production, and holding companies in the United States, Saudi Arabia, and South Korea. The specific targeting of aviation and petrochemical companies is likely to influence strategic decision-making, advance Iran’s capabilities, and increase Iran’s competitive advantage in these sectors. One APT33 campaign consisted of a recruitment-themed spear-phishing email related to the industry from which the target is employed. These emails contained links to malicious HTML application (.hta) files that detailed legitimate job descriptions and job post links directing the target to a spoofed employment website. Additionally, the .hta files contained embedded code that automatically downloads a custom APT33 backdoor. In a separate campaign, APT33 registered multiple domains masquerading as Saudi Arabian aviation companies and western organizations that provide services to Saudi military and commercial fleets and used those domains in spear-phishing emails. APT33 often uses the DROPSHOT dropper to deliver the TURNEDUP backdoor. The DROPSHOT dropper, however, is also linked to the SHAPESHIFT wiper, indicating the group also conducts destructive operations or shares tools with a separate Iran-based APT that does. FireEye expects APT33 to continue targeting a broad range of entities, and may extend their espionage activities into other regions and sectors in support of Iran’s strategic interests. The NJCCIC recommends all security professionals review FireEye’s report and scan for the indicators of compromise (IoCs) provided to determine whether malicious activity associated with APT33 has been observed within your network. Organizations are strongly encouraged to implement a defense-in-depth cybersecurity strategy, employ the Principle of Least Privilege, and establish strong identity and access management controls, including multi-factor authentication.