Threat Intelligence, Malware

Iran’s APT33 targets US defense contractors with novel malware

Flag of Iran on binary code

Iranian nation-state threat group APT33 is using a previously unknown backdoor malware with espionage capabilities to target U.S. defense industrial base (DIB) workers.

In a thread on X, Microsoft’s Threat Intelligence team said it first observed APT33 (which it tracks as Peach Sandstorm, and is also known as Refined Kitten or Holmium) attempting to deliver the new FalseFont malware in early November.

“FalseFont is a custom backdoor with a wide range of functionalities that allow operators to remotely access an infected system, launch additional files, and send information to its C2 (command-and-control) servers,” the threat intelligence researchers posted.

The team said the development and use of the new malware was consistent with APT33’s activity over the past year, suggesting the threat group was “continuing to improve their tradecraft.”

APT33 targeting international aviation, energy sectors

APT33 was first observed carrying out cyberespionage operations in 2013. In a threat research post first published in 2017 and updated in October this year, Mandiant said the threat group targeted U.S., Saudi Arabian and South Korean-based organizations. It had shown particular interest in organizations in the aviation sector involved in both military and commercial capacities, as well as organizations in the energy sector with ties to petrochemical production.

Microsoft’s Threat Intelligence Team revealed APT33 carried out a months-long password spray campaign, beginning in February, with a specific focus on attempting to compromise satellite, defense and pharmaceutical organizations.

Password spraying involves attempting to log into multiple accounts from one organization by trying a limited number of commonly used passwords. (As opposed to brute force attacks that bombard a single account with numerous login attempts).

“Based upon the profile of victim organizations targeted and the observed follow-on intrusion activity, Microsoft assesses that this initial access campaign is likely used to facilitate intelligence collection in support of Iranian state interests,” Microsoft’s researchers said at the time.

When its login attempts were successful, the researchers said they observed APT33 using a combination of publicly available and custom tools for discovery, persistence, and lateral movement across the compromised organizations. It also exfiltrated data in “a small number of intrusions.”

“While the specific effects in this campaign vary based on the threat actor’s decisions, even initial access could adversely impact the confidentiality of a given environment,” they said.

Due to the strong desire by nation-state adversaries, including Iran, to obtain military and commercial secrets, the DIB, comprising more than 100,000 defense contractor organizations, is under constant attack from threat actors. As a result, there have been ongoing efforts by the Pentagon and Congress to improve cybersecurity resilience across the DIB.

Outside of the DIB, another Iranian advanced persistent threat (APT) group, Cyber Av3ngers, last month carried out attacks against U.S. water utility organizations. The attacks compromised Israeli-made industrial control equipment at the targeted facilities.

Simon Hendery

Simon Hendery is a freelance IT consultant specializing in security, compliance, and enterprise workflows. With a background in technology journalism and marketing, he is a passionate storyteller who loves researching and sharing the latest industry developments.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.