Now on Demand Ransomware Resilience & Recovery Summit - All Sessions Available
Connect with us

Hi, what are you looking for?



Iranian Cyberspies Update Infrastructure Following Recent Report

The Iran-linked cyberespionage group APT33 has updated its infrastructure following a March 2019 report detailing its activities, according to researchers from Recorded Future.

The Iran-linked cyberespionage group APT33 has updated its infrastructure following a March 2019 report detailing its activities, according to researchers from Recorded Future.

Also referred to as Elfin, APT33 has been engaged in cyberespionage activities since at least 2013, mainly targeting entities in the Middle East, but also hitting U.S., South Korean, and European targets. 

After a report detailing the actor’s attacks on Saudi Arabia and the United States was published in March 2019, most of the exposed domains were parked or no longer resolve to a real IPv4 address, the security researchers have discovered. 

Others were moved to new providers, with four of them being updated the day after publication and resolving to the same IP, which is registered to Swiss-dedicated hosting provider Solar Communications GmBH. 

This shows that the actors are aware of the media coverage of their activities and that they possess the necessary resources to react quickly. Despite public exposure, however, the group continued to focus on Saudi Arabian organizations, in line with its historical targeting patterns. 

Since late March, the actor was observed employing over 1,200 domains in its operations, along with commodity malware. Of these command and control (C&C) domains, 728 were identified communicating with infected hosts, with 575 of them communicating with hosts infected by one of 19 mostly publicly available RATs.

The security researchers also noticed that many of the suspected APT33 domains were associated with malware families related to njRAT infections, although the RAT hasn’t been used by the actor before. Commodity RAT malware families such as AdwindRAT and RevengeRAT were also employed. 

Recorded Future believes that either APT33 or a closely aligned threat actor has targeted a conglomerate headquartered in Saudi Arabia (involved in the engineering and construction, utilities, technology, retail, aviation, and finance sectors), two Saudi healthcare organizations, a Saudi company in the metals industry, an Indian mass media company, and a delegation from a diplomatic institution. 

Advertisement. Scroll to continue reading.

The security researchers also believe that one APT33 actor, the Nasr Institute, is highly likely an agent of the Iranian government cyber operations apparatus. The security researchers believe that the Iranian government uses organizations that have nominally public service missions to obfuscate their malicious cyber operations, just as nations such as China and Russia do. 

Further analysis of links between the Nasr Institute and Kavosh Security Group has revealed a possible overlap in the activities of APT33, APT35, and MUDDYWATER threat actors, likely “a result of the tiered structure that Iran utilizes to manage cyber operations.”

“Within this structure, we assessed that managers are running multiple teams, some of which are associated with government organizations (such as the Nasr Institute), and others that are contracted private companies (such as ITSec Team),” the security researchers say. 

Related: Iran-Linked Cyberspy Group APT33 Continues Attacks on Saudi Arabia, U.S.

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

MSSP Dataprise has appointed Nima Khamooshi as Vice President of Cybersecurity.

Backup and recovery firm Keepit has hired Kim Larsen as CISO.

Professional services company Slalom has appointed Christopher Burger as its first CISO.

More People On The Move

Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.