APT33 hacker group stepped up phishing emails masquerading as an oil and gas company to its targets after US nuclear deal withdrawal
Iran hackers ramping up attacks on Gulf energy firms
An Iranian hacker group has significantly stepped up its cyber espionage operations against GCC companies in the energy sector after US President Donald Trump withdrew from the nuclear deal and reimposed sanctions on Tehran’s economy, according to a new investigation.
Security firm FireEye released new research on Tuesday that showed how the hacker group APT33, widely believed to be linked to the Iranian regime, has targeted Middle Eastern companies as well as organisations from the United States and Japan across various sectors including utilities, insurance, manufacturing and education.
The hacker group sent spear phishing emails to its targets between July 2 and July 29. In the emails, the group disguised its messages as mail from a Middle Eastern oil and gas company, which was not identified by FireEye. Such emails seek to trick the recipient into clicking malicious links that transfers sensitive information to the hackers.
In response to a question from The National, the firm said "GCC states" were targeted by the group, but declined to be more specific.
“In July, we observed a significant increase in activity from this Iran-affiliated APT group,” Alister Shepherd, Middle East and Africa director for Mandiant, a consulting arm at FireEye, said on Tuesday.
He added that APT33's operation likely focused on the energy sector because Iran's own energy industry has been severely affected "by recent sanctions" reimposed after Mr Trump's withdrawal and the group may have been seeking to target its rivals' industries.
The American firm saw a ten-fold increase in the phishing emails “from a small number… to a large volume”. It said it expected the operations to continue, targeting the same sectors, as the sanctions continue to bite.
The security firm said it had a high degree of certainty that the hacker group was linked to Iran.
“We are confident in the Iranian government link, this is based on four years of tracking activity,” Mr Shepherd told reporters at a briefing in Dubai.
The timing of the group’s activities was one of the key indicators that they were based out of Iran. Its operatives primarily worked “Saturday through Wednesday…which fits with the Iranian week. When it happens consistently over time that’s a strong indicator,” the FireEye executive said.
The security firm also saw Farsi language used in some of the hacker group’s coding. It said the phishing was not a false flag operation, as the company’s tracking involved “actively watching the attacker come in and do their work”.
Earlier this year, the United States withdrew from the nuclear deal signed between Tehran and world powers in July 2015 that sought to limit Iran’s nuclear programme in return for the lifting of crippling international sanctions. US President Donald Trump reimposed those sanctions in August, with a second raft of sanctions expected in November.
The US has threatened to impose secondary sanctions on any country doing business with Iran. The American measures are expected to severely impact Iran’s oil sector and its wider economy.
“The motivation behind the operation is uncertain, but it’s possible that the attackers were using spear phishing to facilitate the theft of intellectual property or to subsequently cause disruption in retaliation to the sanctions,” Mr Shepherd continued.
“It’s imperative for companies to ensure they are capable of quickly detecting and responding to these intrusion attempts.”
The hacker group was conducting similar cyber espionage operations before the 2015 nuclear deal. FireEye’s last report on APT33, released in September 2017, revealed the group had been carrying out cyber espionage operations since 2013. It had attacked organisations across multiple industries – from aviation to petrochemical production – in the United States, Saudi Arabia and South Korea.
It concluded that the targeting of a Saudi organisation using phishing emails was possibly a bid to gain insight into the workings of Iran’s regional rivals, specifically in the Arabian Gulf.
The security firm pointed to several trends that indicated the hacker group was linked to the Iranian regime. One of the actors attempting to spread APT33 malware was a prominent figure on Iranian hacktivist forums and had links to the Nasr Institute, widely believed to be Iran’s “cyber army” controlled by Tehran.
The group’s targeting of companies in the aerospace and energy industries align with Iranian state interests.
To carry out its operations, APT33 used hacker tools popular with other suspected Iranian threat groups and used Iranian hosting companies.
The evidence, the security firm said, points to the hacker group likely being based out of Iran and acting on the direction of the Iranian state. It said it was likely searching for strategic intelligence that could aid a government or military sponsor to enhance its decision-making or improve its own capabilities.
The latest report from FireEye comes after it released another body of evidence about Iranian state activities last month. It revealed the breadth of Iran’s disinformation efforts on social media, using fake accounts to promote the regime’s agenda and oppose Western policies it believes harms Iranian interests.
A tip-off from FireEye pushed Facebook, Google and Twitter into removing dozens of accounts suspected of links to the Iranian propaganda campaign.
Material spread by the accounts included cartoons of Saudi Crown Prince Mohammad Bin Salman, articles opposing US President Donald Trump, and others supportive of politicians seen as more favourable to Iranian policy, including British opposition leader Jeremy Corbyn.