Iranian hackers targeted US firms
dubai — A hacking group suspect- ed of working on behalf of Iran has been conducting cyber espionage operations most likely since 2013, according to researchers from cybersecurity firm FireEye.
The group, which FireEye has dubbed ‘APT33,’ has targeted organisations spanning multiple industries in the US, South Korea and Saudi Arabia. However, there is currently no evidence to suggest that APT33 has taken an interest in the UAE or companies that operate here.
Stuart Davis, regional director, Middle East Europe Africa (MEA), for Mandiant (a FireEye company), said that “the campaigns we’ve seen are aligned to the interest of the Iranian government and Iranian military.”
The group’s operating methods, Davis added, show that it targets organisations only after carefully studying whom to target and why.
“They started masquerading as personas of real people, or real jobs that were being offered, and sending e-mails and lures into customer environments, with links to real job sites,” he said.
“It means they’re spending a lot of time crafting this. They’re understanding who their adversary is.”
He added: “We know from our research that Iran has military operations and wants to expand on those. But without knowing their neighbouring countries’ capabilities or those of other nation-states, it is difficult for them to understand what to invest in or how to expand. Using cyber is a great way for them to get that understanding and then plan military objectives.”
Recent incidents
According to researchers, the group is particularly focused on organisations involved in commercial and military aviation, as well as organisations in the energy sector that have ties to petrochemical production.
Between mid-2016 and early 2017, for example, APT33 compromised an American company in the aviation sector, as well as a Saudi conglomerate with aviation holdings. At the same time, the group was targeting a South Korean company involved in oil refining and petrochemicals. In May 2017, the group went on to target a Saudi organisation and South Korean conglomerate using a malicious file that attempted to entice victims with job vacancies at a Saudi petrochemical company.
Similarly, FireEye believes that APT33’s targeting of the South Korean companies may have be due to South Korea’s recent partnerships with Iran’s petrochemical industry, as well as their relationship with petrochemical companies in Saudi Arabia.
In recent years, Iran has expressed an interest in expanding
We know from our research that Iran has military operations and wants to expand on those. Using cyber is a great way for them to get that understanding and then plan military objectives.” Stuart Davis, regional director, MEA, Mandiant
its petrochemical industry, often positing this expansion in competition to their counterparts in Saudi Arabia.
“What we do know is that those are two significant industries in the region, which provide any country the ability to grow,” Davis said.
“As a nation-state that’s quite alienated...a key need for groups like that is a better understanding of what happens in certain areas, like aviation. This aids them commercially, and for any military interests they may have,” he added.
In the future, FireEye expects APT33 to continue to cover a broad scope of targeted entities, and that it may eventually spread to other regions and sectors as Iranian interests change.
Additionally, the group is thought to be developing “destructive tools”, and may eventually conduct destructive operations against its targets.