Iranian Cyber Espionage: APT33 – Collective Intelligence Analysis

Recent investigations released a new threat actor named APT33 believed to be Prominent Iranian Hacker Group capable of espionage as well as spreading of one of the unseen species of malware called Wipers on the victims hard drive – once unleash capable of destroy data via wiping disks, erasing volumes and Deleting files depending on system’s configuration. We will be uncovering some of the facts and collective intelligence for the APT33 hacker group.

Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware

  1. APT33 is a capable group that has carried out cyber espionage operations since at least 2013
  2. APT33 has shown particular interest in organizations in the aviation sector involved in both military and commercial capacities, as well as organizations in the energy sector with ties to petrochemical production.
  3. From mid-2016 through early 2017, APT33 compromised a U.S. organization in the aerospace sector and targeted a business conglomerate located in Saudi Arabia with aviation holdings.
  4. APT33 may have targeted these organizations as a result of Iran’s desire to expand its own petrochemical production and improve its competitiveness within the region.
  5. APT33 leverages popular Iranian hacker tools and DNS servers used by other suspected Iranian threat groups. The publicly available backdoors and tools utilized by APT33 – including NANOCORE, NETWIRE, and ALFA Shell – are all available on Iranian hacking websites, associated with Iranian hackers, and used by other suspected Iranian threat groups
  6. The ties to SHAPESHIFT may suggest that APT33 engages in destructive operations or that they share tools or a developer with another Iran-based threat group that conducts destructive operations.

Targetted/Affected Organizations

APT33 has shown particular interest in organizations in the aviation sector involved in both military and commercial capacities, as well as organizations in the energy sector with ties to petrochemical production.

  1. United States – Compromised a U.S. organization in the aerospace sector
  2. Saudi Arabia – A business conglomerate located in Saudi Arabia with aviation holdings.
  3. South Korea – Company involved in oil refining and petrochemicals

 

Suspects Analysis as per Media Coverage

Source : Iranian Cyber News Agency – Iranians Behind StoneDrill and NewsBeef Malware                   

  1. Mahdi Honarvar xman_1365_x is self-identified on forums as Mahdi Honarvar from Mashad. This is shown to be linked to the third wave of attacks by the Shamoon-2 wiper malware.Not being content with being exposed 3 years ago as a member of the Cyber Army Institute of Nasr, he has continued to work for the Kavosh front company, and this now shows that he and others, through their poor security procedures, have enabled others to easily link the malware back to the Iranian State, inviting retribution from those who were affected.
  2. The size of the NewsBeef and StoneDrill attacks suggests an organized team effort. Searches have revealed he could be part of an organized group. Some of those that Iran Khabarestan exposed were researching and developing spyware against conscientious and political opponents of the Islamic Republic might also be involved? They are as follows:
    1.  Malek Mohammadinezhad – He is head of the fake Kavosh company and uses the email address
    2. Behzad Shamsi Achachluei – Spyware and malware developer for smartphones, uses the email address
    3. Saeid Beiki – Beiki discovers vulnerabilities and informs the IRGC so that they can spy on people and start cyberwars. His own resume states that in the past he has been a ‘Malware Analyst, Kavosh Security Center, Tehran’
    4. Mehdi Hoseinzadeh – Hoseinzadeh is a spyware developer.
    5. Milad Torkashvan – Torkashvan is involved with research and development -R&D- of cloud-based attack systems, working as a malware developer.
    6. Sayyed Javad Sayyedhamzeh – Sayyedhamzeh is a spyware and destructive malware developer.
    7. Javad Heidariyan – Heidariyan codes malware to spy on Iranians.
    8. Nima Nikju – Nikju -Nikjoo- works on coding malware to spy on Iranians.
    9. Mohammad Paryar – Paryar also codes malware to spy on Iranians.
  3. The original blogpost where this information is listed is from is on Iran Khabarestan available HERE. Two of those indicted by the USA FBI in 2016, Hamid Firuzi and Nader Saedi are also named in the article.

Malware Impacts

  1. The hackers remained inside of the systems of those affected for “four to six months” at a time, able to steal data and leaving behind the malware that FireEye refers to as Shapeshifter.
  2. Security firm Kaspersky first spotted ShapeShift in March of this year, calling it StoneDrill. Kaspersky noted that it resembles Shamoon, but with more techniques designed to evade security mechanisms, like the “sandbox” protections that limit a given application’s access to the rest of a target computer. Kaspersky wrote at the time that one of the two targets in which it found StoneDrill malware was European, whereas Shamoon’s attacks had been confined to the Middle East. “Why is this worrying?” asked Kaspersky founder Eugene Kaspersky in a blog post about the discovery. “Because this finding indicates that certain malicious actors armed with devastating cyber-tools are testing the water in regions in which previously actors of this type were rarely interested.”
  3. 7 March 2017 – Wiper also appears to be connected with NewsBeef, an advanced, persistent threat (APT) actor known for targeting Saudi Arabia by using the Browser Exploitation Framework known as BEeF.
  4. Kaspersky Labs also discovered a StoneDrill backdoor used for spying purposes, alongside four command-and-control (C&C) panels used to run and monitor destructive campaigns.                                                                                     
  5. ln 2016 another round of Shamoon attacks ripped through the Middle East, destroying thousands more machines, this time overwriting the drives with the image of the body of a 3-year-old Syrian refugee who drowned in the Mediterranean.
  6. the “Dark Seoul Gang” used wiper malware to destroy computer hard drives at South Korean banks and broadcasting facilities, as well as attack the country’s financial companies.- zdnet
  7. In 2012, Iran-linked hackers calling themselves “Cutting Sword of Justice” used a piece of similar “wiper” malware known as Shamoon to overwrite the hard drives of 30,000 computers at Saudi oil behemoth Saudi Aramco and Qatari natural gas producer RasGas with the image of a burning US flag.

Source :- eugene.kaspersky.com StoneDrill: We’ve Found New Powerful ‘Shamoon-ish’ Wiper Malware – and It’s Serious.

 

Research Reports and Analysis

  1. 1 September 2012 –  Shamoon The Wiper – Kaspersky Lab Analysis
  2. 27 April 2016 – wiper also appears to be connected with NewsBeef, an advanced, persistent threat (APT) actor known for targeting Saudi Arabia by using the Browser Exploitation Framework known as BEeF.- Kaspersky Lab Analysis
  3. 30  – FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region – Shamoon 2.0 Analysis by Fireeye Team
  4.  7 March 2016 – FROM SHAMOON TO STONEDRILL Wipers attacking Saudi organizations and beyond – Kaspersky Lab Analysis Report
  5.  – APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware – APT33 Analysis by Fireeye Team

Threat Intelligence and Prevention Advisories

  1. 4 July 2017 Remove Trojan StoneDrill
  2. 22 August 2017 Virustotal Analysis
  3. 15 Microsoft Windows Defender Security Intelligence – Trojan:Win32/WipMBR.B is a trojan that overwrites your computer’s MBR (master boot record) and other files, thus preventing you from accessing your operating system and using your computer

Media Coverage

  1. Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware – Fireeye Report
  2. The Iran-linked APT33 group has been targeting aerospace and energy organizations in the United States, Saudi Arabia, and South Korea.- Securityaffairs
  3. Suspected Iranian Hackers Targeted U.S. Aerospace Sector – Thedailybeast
  4. Security experts: Iran-backed hackers targeting U.S. and Saudi Arabia – CNN Tech
  5. APT33: Researchers Expose Iranian Hacking Group Linked to Destructive Malware – thehackernews
  6. 8 March 2017 – StoneDrill advanced wiper malware discovered in the wild – scmagazine
  7. 8 March 2017 – StoneDrill A New Rising Malware to Wipe Disks – cyberwhizz
  8. Shamoon malware spawns even nastier ‘StoneDrill’ – Data-destroying code moves on from Middle East, now rampaging through Europe – theregister
  9. 6 March 2017 – From Shamoon to StoneDrill Wipers attacking Saudi organizations and beyond – Kaspersky Lab
  10. 6 Marrch 2017 – Destructive StoneDrill Wiper Malware On The Loose – threatpost

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: