FireEye has laid out evidence that it believes connects the hacking of several U.S., Saudi Arabian and South Korean aerospace and petrochemical to an Iranian cyber group it has labeled APT33.
The cybersecurity firm said its iSIGHT Threat Intelligence and Mandiant incident response teams came to this conclusion that an Iranian group was behind these incidents after an investigation found hacks and spearphishing attacks against specific companies and industries that could give Iran needed information. In addition, FireEye researchers found an online persona, xman_1365_x, who may have been in the employ of the Iranian government to conduct these cyberattacks.
FireEye's report found that APT33 began its activity in mid-2016 and continued through the first part of 2017 when it compromised an American aviation firm and a Saudi Arabian company with interests in that field. Around the same time the cyber gang conducted an operation against a South Korean petrochemical company.
Saudi Arabia and Iran are enemies on many fronts, both military and economically. When this is tied to the type of attacks conducted FireEye believes APT33 is trying to help Iran gain an edge on its main regional competitor.
“We assess the targeting of multiple companies with aviation-related partnerships to Saudi Arabia indicates that APT33 may possibly be looking to gain insights on Saudi Arabia's military aviation capabilities to enhance Iran's domestic aviation capabilities or to support Iran's military and strategic decision making vis a vis Saudi Arabia,” the report stated.
FireEye concluded that this activity will continue and possibly target new entities in other regions that are of interest to Iran.
The company postulated that South Korean involvement is due to that countries recent partnership with Saudi petrochemical firms. Oddly, some Iranian corporations have similar deals in place leading FireEye to conclude APT33 is trying to help Iran improve its own petrochemical production and remain competitive against Saudi Arabia.
The spearphishing attempts use employment opportunities as the primary lure to trick someone into opening the email and click on the links contained inside. FireEye said the emails did refer to legitimate job openings, but in addition to giving details on the job the malicious email also downloaded a custom-made backdoor into the victim's system. Interestingly, some of the phishing emails contained a major error that indicated they were indeed malicious.
“In a few cases, APT33 operators left in the default values of the shell's phishing module. These appear to be mistakes, as minutes after sending the emails with the default values, APT33 sent emails to the same recipients with the default values removed,” the report stated.
FireEye also laid out its evidence that it believes ties APT33 to Iran.
“Open source reporting links the “xman_1365_x” actor to the “Nasr Institute,” which is purported to be equivalent to Iran's “cyber army” and controlled by the Iranian government. Separately, additional evidence ties the “Nasr Institute” to the 2011-2013 attacks on the financial industry, a series of denial of service attacks dubbed Operation Ababil,” the report states.
FireEye researchers also found an actor using the handle “xman_1365_x” as being involved in the development and potential use of APT33's TURNEDUP backdoor due to the inclusion of the handle in the processing-debugging (PDB) paths of many of TURNEDUP samples, the company said.
It also noted that xman_1365_x was a community manager in the Barnamenevis Iranian programming and software engineering forum and accounts and has registered accounts in the Iranian Shabgard and Ashiyane forums, although FireEye clarified that it had no evidence that xman_1365_x was ever a formal member of those forums.
The report also used some more anecdotal evidence that APT33 has ties, such as the time of day the activity took place coincided with the usual Iranian work week, which is Saturday to Wednesday. The report also said the perpetrators used known Iranian hacking tools and DNS servers.
“The publicly available backdoors and tools utilized by APT33 – including NANOCORE, NETWIRE, and ALFA Shell – are all available on Iranian hacking websites, associated with Iranian hackers, and used by other suspected Iranian threat groups. While not conclusive by itself, the use of publicly available Iranian hacking tools and popular Iranian hosting companies may be a result of APT33's familiarity with them and lends support to the assessment that APT33 may be based in Iran,” the report concluded.
