APT33

APT33

First known appearance: 2013

Threat Actors: Iranian government and has possible ties to the Islamic Revolutionary Guard Corps (IRGC)

Targets: Aerospace and Energy sectors

Objectives: APT33’s targeting of organizations involved in aerospace and energy most closely aligns with nation-state interests, implying that the threat actor is most likely government sponsored.

Overview: APT33 has targeted organizations, spanning multiple industries, headquartered in the United States, Saudi Arabia and South Korea. APT33 has shown particular interest in organizations in the aviation sector involved in both military and commercial capacities, as well as organizations in the energy sector with ties to petrochemical production.

Associated malware: SHAPESHIFT, DROPSHOT, TURNEDUP, NANOCORE, NETWIRE, ALFA Shell

Typical attack vectors: APT33 sent spear-phishing emails to employees whose jobs related to the aviation industry. These emails included recruitment themed lures and contained links to malicious HTML application (.hta) files. The .hta files contained job descriptions and links to legitimate job postings on popular employment websites that would be relevant to the targeted individuals. (An example .hta file excerpt is provided in Figure 2.) To the user, the file would appear as benign references to legitimate job postings. However, unbeknownst to the user, the .hta file also contained embedded JavaScript code which automatically downloaded a custom APT33 backdoor.

 

apt33-map