This blog post continues our ongoing research into Iranian threat actor groups, in particular provides some updates on APT33. APT33 has been operating since at least 2013, and this blog provides an update on some of their most recent activity. You can view some of our previous research here and here and read a recent ThreatConnect blog on APT33 infrastructure here.
Following the collapse of the Iran nuclear deal, concerns over Iranian threat actor groups have increased. Interest in these groups has increased following recent events including the assassination of a top military official (Major General Qasem Soleimani) and the subsequent downing of a civilian jetliner near Tehran in early January 2020. More recently, the Iranian government issued an arrest warrant for Donald Trump. However, as Covid-19 dominated the news and threat actors began using it en masse to defraud victims, public attention toward Iranian threat groups has diminished.
APT33 (also referred to as Refined Kitten, Magnallium, and Holmium) is an Iranian threat group known to target a wide range of industry sectors in multiple countries. Attacks have been documented against companies operating in the US in the aviation and petrochemical industries as well as military contractors. APT33 attacks are generally multi-staged attacks utilizing weaponized documents, known vulnerabilities in productivity software such as CVE-2017-11774, as well as PowerShell backdoors. These attacks are often launched from a domain resembling a legitimate business service. An example domain would be customermgmt[.]net, which was revealed by US Cyber Command on July 2, 2019 to be associated with APT33.
USCYBERCOM has discovered active malicious use of CVE-2017-11774 and recommends immediate #patching. Malware is currently delivered from: 'hxxps://customermgmt.net/page/macrocosm' #cybersecurity #infosec
— USCYBERCOM Cybersecurity Alert (@CNMF_CyberAlert) July 2, 2019
Another recent example is from our integration partner ThreatConnect, who have similarly identified some recent suspected registrations <https://threatconnect.com/blog/threatconnect-research-roundup-possible-apt33-infrastructure/>.
Typical APT33 domain registrations continue despite the global uptick in Coronavirus-themed attacks. HYAS continues to monitor suspected APT33 activity on behalf of our customers. We examined suspicious registrations over a 90-day period and identified a number of domains that were registered using TTP’s that we had previously associated with APT33.
Below is a sample of the recent data we uncovered on APT33. The full IoC list is available to HYAS customers or by contacting us here (mention the APT33 report in the message body).
