For more than five years, Iran has maintained a reputation as one of the most aggressive nations in the global arena of state-sponsored hacking, stealing data from corporate and government networks around the world, bombarding US banks with cyberattacks, and most brazen of all, unleashing multiple waves of computer-crippling malware that hit tens of thousands of PCs across the Middle East.
But amidst that noisy mayhem, one Iranian group has managed to quietly penetrate a broad series of targets around the world, until now evading the public eye. And while that group seems to have stuck to traditional spying so far, it may also be laying the groundwork for the next round of destructive attacks.
Security firm FireEye has released new research into a group it calls Advanced Persistent Threat 33, attributing a prolific series of breaches of companies in the aerospace, defense, and petrochemical industries in countries as wide-ranging as Saudi Arabia, South Korea, and the US. While FireEye has closely tracked APT33 since May of last year, the security firm believes the group has been active since at least 2013, with firm evidence that it works on behalf of Iran’s government. And though FireEye describes APT33’s activities as largely focused on stealthy spying, they’ve also found links between it and a mysterious piece of data-destroying malware that security analysts have puzzled over since earlier this year.
“This could be an opportunity for us to recognize an actor while they’re still focused on classic espionage, before their mission becomes more aggressive,” says John Hultquist, FireEye’s director of intelligence analysis. He compares APT33 to Sandworm, a hacking operation FireEye discovered in 2014 and tied to Russia, which began with spying intrusions against NATO and Ukrainian targets before escalating to data-wiping attacks in 2015 and finally two sabotage attacks against the Ukrainian power grid. “We’ve seen them deploy destructive tools they haven’t used. We’re looking at a team whose mission could change to disruption and destruction overnight.”
FireEye says it’s encountered signs of APT33 in six of its own clients’ networks, but suspects far broader intrusions. For now, it says the group’s attacks have focused on Iran’s regional interests. Even the targets in the US and Korea, for instance, have comprised companies with Middle East ties, though FireEye declines to name any specific targets. “They’re hitting companies headquartered all over the world,” Hultquist says. “But they’re being swept up into this activity because they do business in the Gulf.”