APT 33, Elfin, Magnallium
Description
(FireEye) When discussing suspected Middle Eastern hacker groups with destructive capabilities, many automatically think of the suspected Iranian group that previously used SHAMOON – aka Disttrack – to target organizations in the Persian Gulf. However, over the past few years, we have been tracking a separate, less widely known suspected Iranian group with potential destructive capabilities, whom we call APT33. Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013. We assess APT33 works at the behest of the Iranian government.
APT33 has targeted organizations – spanning multiple industries – headquartered in the United States, Saudi Arabia and South Korea. APT33 has shown particular interest in organizations in the aviation sector involved in both military and commercial capacities, as well as organizations in the energy sector with ties to petrochemical production.
APT 33 seems to be closely related to OilRig, APT 34, Helix Kitten, Chrysene since at least 2017.
Names
| Name | Name-Giver |
|---|---|
| APT 33 | Mandiant |
| Elfin | Symantec |
| Magnallium | Dragos |
| Holmium | Microsoft |
| ATK 35 | Thales |
| Refined Kitten | CrowdStrike |
| TA451 | Proofpoint |
| Cobalt Trinity | SecureWorks |
| Peach Sandstorm | Microsoft |
| Yellow Orc | PWC |
| Curious Serpens | Palo Alto |
Country
Sponsor
State-sponsored, Iranian Islamic Revolutionary Guard Corps (IRGC)
Motivation
- Information theft and espionage
- Sabotage and destruction
First Seen
2013
Observed Sectors
- Aviation
- Defense
- Education
- Energy
- Financial
- Government
- Healthcare
- High-Tech
- Manufacturing
- Media
- Oil and gas
- Petrochemical
- Telecommunications
- others
Observed Countries
Tools
- AutoIt backdoor
- DarkComet
- DistTrack
- EmpireProject
- FalseFont
- Filerase
- JuicyPotato
- LaZagne
- Mimikatz
- NanoCore RAT
- NetWire RC
- PoshC2
- PowerBand
- PowerSploit
- POWERTON
- PsList
- PupyRAT
- QuasarRAT
- RemcosRAT
- Ruler
- SHAPESHIFT
- StoneDrill
- Tickler
- TURNEDUP
- Living off the Land
Operations
- 2019-03: Attacks on Multiple Organizations in Saudi Arabia and U.S. The Elfin espionage group (aka APT33) has remained highly active over the past three years, attacking at least 50 organizations in Saudi Arabia, the United States, and a range of other countries. https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage
- 2019-07: US Cyber Command has issued an alert via Twitter today about threat actors abusing an Outlook vulnerability to plant malware on government networks. The vulnerability is CVE-2017-11774, a security bug that Microsoft patched in Outlook in the October 2017 Patch Tuesday. https://www.zdnet.com/article/us-cyber-command-issues-alert-about-hackers-exploiting-outlook-vulnerability/
- 2019-11: More than a Dozen Obfuscated APT33 Botnets Used for Extreme Narrow Targeting https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/
- 2023-02: Peach Sandstorm password spray campaigns enable intelligence collection at high-value targets https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/
- 2023-11: Microsoft: Hackers target defense firms with new FalseFont malware https://www.bleepingcomputer.com/news/security/microsoft-hackers-target-defense-firms-with-new-falsefont-malware/
- 2024-04: Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations https://www.microsoft.com/en-us/security/blog/2024/08/28/peach-sandstorm-deploys-new-custom-tickler-malware-in-long-running-intelligence-gathering-operations/
Information
- https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html
- https://en.wikipedia.org/wiki/Elfin_Team
Mitre Attack
Playbook
Other Information
Uuid
958e1f46-a2b6-4beb-8cb0-ddc90c08368e
Last Card Change
2024-10-23