Iranian Cyberspies Update Infrastructure Following Recent Report

The Iran-linked cyberespionage group APT33 has updated its infrastructure following a March 2019 report detailing its activities, according to researchers from Recorded Future.

Also referred to as Elfin, APT33 has been engaged in cyberespionage activities since at least 2013, mainly targeting entities in the Middle East, but also hitting U.S., South Korean, and European targets. 

After a report detailing the actor’s attacks on Saudi Arabia and the United States was published in March 2019, most of the exposed domains were parked or no longer resolve to a real IPv4 address, the security researchers have discovered. 

Others were moved to new providers, with four of them being updated the day after publication and resolving to the same IP, which is registered to Swiss-dedicated hosting provider Solar Communications GmBH. 

This shows that the actors are aware of the media coverage of their activities and that they possess the necessary resources to react quickly. Despite public exposure, however, the group continued to focus on Saudi Arabian organizations, in line with its historical targeting patterns. 

Since late March, the actor was observed employing over 1,200 domains in its operations, along with commodity malware. Of these command and control (C&C) domains, 728 were identified communicating with infected hosts, with 575 of them communicating with hosts infected by one of 19 mostly publicly available RATs.

The security researchers also noticed that many of the suspected APT33 domains were associated with malware families related to njRAT infections, although the RAT hasn’t been used by the actor before. Commodity RAT malware families such as AdwindRAT and RevengeRAT were also employed. 

Recorded Future believes that either APT33 or a closely aligned threat actor has targeted a conglomerate headquartered in Saudi Arabia (involved in the engineering and construction, utilities, technology, retail, aviation, and finance sectors), two Saudi healthcare organizations, a Saudi company in the metals industry, an Indian mass media company, and a delegation from a diplomatic institution. 

The security researchers also believe that one APT33 actor, the Nasr Institute, is highly likely an agent of the Iranian government cyber operations apparatus. The security researchers believe that the Iranian government uses organizations that have nominally public service missions to obfuscate their malicious cyber operations, just as nations such as China and Russia do. 

Further analysis of links between the Nasr Institute and Kavosh Security Group has revealed a possible overlap in the activities of APT33, APT35, and MUDDYWATER threat actors, likely “a result of the tiered structure that Iran utilizes to manage cyber operations.”

“Within this structure, we assessed that managers are running multiple teams, some of which are associated with government organizations (such as the Nasr Institute), and others that are contracted private companies (such as ITSec Team),” the security researchers say. 

Related: Iran-Linked Cyberspy Group APT33 Continues Attacks on Saudi Arabia, U.S.