Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Iranian Cyberspies Update Infrastructure Following Recent Report

The Iran-linked cyberespionage group APT33 has updated its infrastructure following a March 2019 report detailing its activities, according to researchers from Recorded Future.

The Iran-linked cyberespionage group APT33 has updated its infrastructure following a March 2019 report detailing its activities, according to researchers from Recorded Future.

Also referred to as Elfin, APT33 has been engaged in cyberespionage activities since at least 2013, mainly targeting entities in the Middle East, but also hitting U.S., South Korean, and European targets. 

After a report detailing the actor’s attacks on Saudi Arabia and the United States was published in March 2019, most of the exposed domains were parked or no longer resolve to a real IPv4 address, the security researchers have discovered. 

Others were moved to new providers, with four of them being updated the day after publication and resolving to the same IP, which is registered to Swiss-dedicated hosting provider Solar Communications GmBH. 

This shows that the actors are aware of the media coverage of their activities and that they possess the necessary resources to react quickly. Despite public exposure, however, the group continued to focus on Saudi Arabian organizations, in line with its historical targeting patterns. 

Since late March, the actor was observed employing over 1,200 domains in its operations, along with commodity malware. Of these command and control (C&C) domains, 728 were identified communicating with infected hosts, with 575 of them communicating with hosts infected by one of 19 mostly publicly available RATs.

The security researchers also noticed that many of the suspected APT33 domains were associated with malware families related to njRAT infections, although the RAT hasn’t been used by the actor before. Commodity RAT malware families such as AdwindRAT and RevengeRAT were also employed. 

Advertisement. Scroll to continue reading.

Recorded Future believes that either APT33 or a closely aligned threat actor has targeted a conglomerate headquartered in Saudi Arabia (involved in the engineering and construction, utilities, technology, retail, aviation, and finance sectors), two Saudi healthcare organizations, a Saudi company in the metals industry, an Indian mass media company, and a delegation from a diplomatic institution. 

The security researchers also believe that one APT33 actor, the Nasr Institute, is highly likely an agent of the Iranian government cyber operations apparatus. The security researchers believe that the Iranian government uses organizations that have nominally public service missions to obfuscate their malicious cyber operations, just as nations such as China and Russia do. 

Further analysis of links between the Nasr Institute and Kavosh Security Group has revealed a possible overlap in the activities of APT33, APT35, and MUDDYWATER threat actors, likely “a result of the tiered structure that Iran utilizes to manage cyber operations.”

“Within this structure, we assessed that managers are running multiple teams, some of which are associated with government organizations (such as the Nasr Institute), and others that are contracted private companies (such as ITSec Team),” the security researchers say. 

Related: Iran-Linked Cyberspy Group APT33 Continues Attacks on Saudi Arabia, U.S.

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...