Threat Management, Threat Management, Threat Intelligence, Incident Response, TDR

Elfin, aka APT33, targets U.S., Saudi Arabian firms in cyberespionage campaign

The cyberespionage group Elfin, aka APT33, has launched a heavily targeted campaign against multiple organization in Saudi Arabia and the United States.

Researchers said the most recent targets include major corporations and despite 42 percent of observed attacks focusing heavily on Saudi Arabia. The U.S. has also been an area of interest for the group with 18 organizations, including a number of Fortune 500 companies, being hit over the past three years, according to a March 27 Symantec blog post.

U.S.-based targets have been against firms in the engineering, chemical, research, energy consultancy, finance, IT and healthcare sectors with some organizations being targeted for mounting supply chain attacks, researchers said in the report.

“In a recent wave of attacks during February 2019, Elfin attempted to exploit a known vulnerability (CVE-2018-20250) in WinRAR, the widely used file archiving and compression utility capable of creating self-extracting archive files,” the report said. “The exploit was used against one target in the chemical sector in Saudi Arabia.”

The threat group has deployed a wide range of tools in its custom malware toolkit including Backdoor.Notestuk (aka TURNEDUP), Trojan.Stonedrill and AutoIt backdoor. Similar to other nation state groups, APT33 looks to exploit unpatched systems.

FireEye researchers also monitored the hacking group as it sent multiple spear-phishing emails with malicious WinRAR attachments to people in the energy sector last month purportedly from senior executives Middle East oil and gas organizations, Nalani Fraser, FireEye’s senior manager of threat intelligence, told CyberScoop.

Symantec researchers described APT33 as “one of the most active groups currently operating in the Middle East” and said they have shown a “willingness to continually revise its tactics and find whatever tools it takes to compromise its next set of victims.”

The group has been active since 2015 or early 2016 and has been targeting compromising targets, including government organizations in the research, chemical, engineering, manufacturing, consulting, finance, telecoms and other sectors.

In December 2018, the group was linked to a wave of Shamoon attacks, one of which infected a company Saudi Arabia that had also been attacked by Elfin, leading researchers to believe the groups were connected.

Last year, FireEye found that the Iranian threat group had been launching hacking and spear-phishing attacks against U.S., Saudi and South Korean aerospace and petrochemical companies.  

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.