Iranian APT33 Hackers Launch Phishing Attacks on Aviation, Energy Industries

FireEye researchers recently determined that an Iranian government hacking group, which the researchers are calling APT33, uses phishing attacks to target companies in the U.S., Saudi Arabia and South Korea. The group has been in operation since at least 2013.

From mid-2016 until early 2017, APT33 successfully compromised a U.S. organization in the energy sector, targeted a South Korean company involved in oil refining and petrochemicals, and targeted a business conglomerate in Saudi Arabia that had aviation holdings.

APT33 specifically targeted employees whose jobs related to the aviation industry with recruitment-themed emails containing links to malicious HTML application (.hta) files.

“We assess the targeting of multiple companies with aviation-related partnerships to Saudi Arabia indicates that APT33 may possibly be looking to gain insights on Saudi Arabia’s military aviation capabilities to enhance Iran’s domestic aviation capabilities or to support Iran’s military and strategic decision making vis a vis Saudi Arabia,” the researchers wrote.

“Iran has repeatedly demonstrated a willingness to globally leverage its cyber espionage capabilities,” FireEye director of intelligence analysis John Hultquist said in a statement. “Its aggressive use of this tool, combined with shifting geopolitics, underscore the danger that APT33 poses to governments and commercial interests in the Middle East and throughout the world.”

State-Sponsored Attacks

STEALTHbits Technologies CTO Jonathan Sander told eSecurity Planet by email that APT33 demonstrates how outdated popular images of hackers are today. “When a cyber attack occurs, most still envision some young man in a hoodie or loner in a basement,” he said. “However, most of the bad guys today are professionals working for governments, organized crime, or even private [firms] in countries with lax laws that let cybercrime be a middle class profession.”

State-sponsored teams like APT33, Sander said, are especially dangerous because their motives help them evade traditional defenses. “Organizations tend to focus defense on attacks that would exfiltrate data,” he said. “Many use the common notion that we’ve all been penetrated already as an excuse to only worry about defending against the last stage of most attacks where that data is stolen. When the motivation is destruction, though, the part where the data leaves never happens, and the trap is never sprung.”

Still, Virsec Systems co-founder and COO Ray DeMeo said by email that the existence of groups like APT33 shouldn’t be a surprise. “We’ve seen clear evidence for some time that nation-state funded groups are using systematic, methodical, and innovative techniques to find weaknesses in networks and critical infrastructure systems,” he said.

“Expect ongoing cyber warfare to be the new normal, and it’s critical that all organizations take security much more seriously, improve their detection and protection capabilities, and train all employees to protect their credentials against theft,” DeMeo added.

The Phishing Threat

Attacks like these are part of an increasing flood of phishing attacks launched on a daily basis. A recent PhishMe survey of almost 200 U.S. executives found that one third of respondents see more than 500 suspicious emails per week.

Ninety percent of respondents worry about email-related threats, and two thirds have dealt with a security incident originating with a deceptive email.

Forty-three percent of those surveyed said their current phishing response ranges from “totally ineffective” to “mediocre,” and 80 percent plan to upgrade their phishing prevention and response.

The September 2017 Webroot Quarterly Threat Trends Report found that 1.385 million new and unique phishing sites are created each month, or more than 46,000 new phishing sites every day. In order to evade detection, the majority of those sites are online and active for only four to eight hours.

“Today’s phishing attacks are incredibly sophisticated, with hackers obfuscating malicious URLs, using psychology, and information gleaned from reconnaissance to get you to click on a link,” Webroot CTO Hal Lonas said in a statement.

“Even savvy cybersecurity professionals can fall prey,” Lonas added. “Instead of blaming the victim, the industry needs to embrace a combination of user education and organizational protection with real-time intelligence to stay ahead of the ever-changing threat landscape.”

Jeff Goldman
Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Latest articles

Top Cybersecurity Companies

Related articles