CyberWire Daily - APT 33: FireEye's John Hultquist on an Iranian Cyber Espionage Group. [Research Saturday]
Episode Date: September 30, 2017APT 33 is an Iranian cyber espionage group that targets aerospace and energy sectors and has ties to destructive malware. John Hultquist is Director of Intelligence Analysis at FireEye, and he takes u...s through their research. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management
with AI-powered automation,
and detecting threats using AI
to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
We started encountering this adversary in spring of 2016.
That's John Hulquist. He's the director of intelligence analysis at FireEye.
Today, he's going to be telling us about APT33.
Since then, we've been involved in about six different incident responses
where we have found the adversary in organizations,
mostly in the Middle East, but also U.S. and South Korean organizations.
So give us an overview. What are we dealing with here?
APD 33 is one of multiple intrusion groups or actors that appear to be operating on behalf
of the Iranian government. This group specifically, we were able to
sort of draw a line around their activity to get a good idea of who they are and what tools they
use and their connection to the Iranian government. But this is a group that appears to be mainly
focused on cyber espionage, sort of the classic mission of gathering intelligence for, in this case, possibly defensive advantage.
If you look at the targets in the report, you'll notice a lot of them work in the defense industry, a lot of aerospace.
That's a sector that every actor that we encounter hits the defense industrial base, and this group particularly is interested there.
hits the defense industrial base. And this group particularly is interested there.
So give us an idea, any sense for why they're targeting aerospace in particular.
So we've seen all these aviation and aerospace assets. Some of them are focused in the region,
that there are organizations that work in the region. We believe that they are seeking defensive advantage and trying to understand the posture, for instance, of their neighbors and regional adversaries.
But we also think that a lot of defense industrial targeting is driven by the need to create a indigenous industry, defense industry, and sort of leapfrog ahead by stealing the intellectual property of adversaries like the U.S.
And so how do they go about doing it?
In this case, this group has been using spear phishing lures sent that appear to be information about job opportunities.
They've done that to target both the defense industrial base as well as people in the petrochemical industry.
as well as people in the petrochemical industry.
Fairly decent looking.
They include information about the specifics of the job and even those equal opportunity statements at the bottom.
Malicious piece of that is that they are sending these links to an HTA file,
which will prompt the user to run,
and then if the user chooses yes, can actually launch code. What is an HTA file?
Sort of a HTML executable. So from a technical point of view with this spear phishing,
is it technically sophisticated or is it a run of the mill campaign?
It's interesting. They've made a couple of mistakes. They actually appear to be using a tool that you can get in the
Iranian underground. You can Google it and find it pretty easily all over the place.
It's called Alpha Team Shell. And the tool is readily available. And it's sort of a plug and
play. You plug in whatever you want to send in your spearfish. It does a lot of the work for you.
And we know that they're using that tool because they've made mistakes,
and rather than plugging their own information in, they actually sent the default information over.
So they're using domain masquerading. Can you take us through that technique?
So oftentimes one of the clues that we get to identify potential targets or areas of interest are domain masquerading.
Sometimes those domains are used as part of like a malicious link.
Sometimes they're used as command and control.
Typically, these will be domains that appear to be legitimate organizations that are the focus of targeting or the activity.
In this case, we saw a lot of domain masquerading surrounding defense companies in the Middle East
and U.S. defense companies. So these will be domains that look similar enough to the companies
that they're trying to masquerade as that perhaps at first glance, people wouldn't notice that
there's something unusual about them.
Exactly. If you sent, for instance, a malicious link with some of these domains,
I think the average user may not notice at all.
Now, you all have also identified a specific persona that you say is probably linked to the Iranian government.
That's right. So the X-Man persona, we can link to the Nasser Institute.
And the Nasser Institute is an organization
which has come up time and time again
with probable connections to the Iranian government.
And that's not the only clue that we have
that this is Iranian or linked to the Iranian government.
X-Man, as shows up other places,
particularly a lot of Iranian hacking forums
suggesting that this is Iranian. The targeting is focused on the regional defense industrial base
and as well as regional petrochemicals. We were able to actually even look at our timing artifacts
or date and time artifacts throughout the code and stack those on top of each other. And we noticed
when the actor was working and when they weren't working.
And if you look at when they were working during the day,
it appears that they're working a nine to five in Tehran time.
But they're also taking off days that are consistent with the Iranian weekend,
which is actually kind of specific time frame. They take Thursdays off,
for instance, when a lot of countries don't do that. Yeah, so you have quite a lot of
information that ties this to Iran. We do. When we're dealing with intelligence work,
and when we're dealing with an adversary that is probably associated with security services
or intelligence organizations, it's never going to be perfect, but in this case, there is a lot of different pieces of evidence
which suggest that this is an Iranian actor, specifically a government actor.
One of the points that is made in the report that you've published about this
is that there are some ties with capabilities and comparisons with Shamoon.
Can you start off just by describing for our listeners what Shamoon is and then how this compares to it?
Great question.
So we took a look at Shamoon and a disruptive component that we found connected to this activity.
We're actually not the only one, because Spursky did a similar look
earlier. Shamoon is the tool that's been used again and again in destructive incidents
in region. It's the preferred cyber destructive tool of the Iranian government. When we found
this destructive component associated with APT33, we were wanting to know if there was any connection between the two.
We could not find a connection. This appears to be independent capability. The destructive
component does suggest that these actors could be used to carry out disruptive or destructive
missions at some point in the future. That sort of trajectory is consistent with a lot of actors who have sort of been taken
off more classic center espionage mission and put into a mission that's disruptive and destructive.
A good example of that would be a group that we call Sandworm, that one's the same organization or intrusion group that turned out the lights in Ukraine.
When we first found Sandworm, they weren't turning out the lights somewhere.
They were actually quietly carrying out cyber espionage against the Ukrainian government and NATO.
And we see that sort of thing all over the place.
The North Korean hackers who have done destructive activity in the past are typically,
when we see them, they are carrying out espionage. When we see the APT-28, the actor who was involved
in the DNC incidents, still to this day, the majority of their operations are classic espionage
against diplomatic institutions and governments.
So to be clear, so far, APT 33 has really only been involved with espionage.
You haven't seen any cases of destructive sorts of things, yes?
That's true.
But we did find the destructive tool that appears to be connected to APT 33, which raises
that question. Would they be used in a
scenario where the Iranian government chose to become more oppressive? They do regularly use
Shamoon, but that's only one, I think, one component or one tool that they have at their
disposal. And we're also very concerned about that prospect given shifting geopolitics,
particularly between the West and
Iran. Prior to the negotiations and the agreement, Iran had been quite aggressive with the West using
this capability as sort of an asymmetric tool. They carried out DDoS attacks. They carried out
destruction in the U.S. as well as in their sort of near abroad. But since those negotiations
and that agreement, we've seen very little of that. Instead, we've seen a lot of that destructive
and disruptive capability used in the Middle East, particularly in Saudi Arabia and other Gulf
countries. Can you give us a sense for how widespread this is? Are the attacks so targeted or are they casting a wide net?
They appear to be fairly targeted.
They seem to be interested in a limited set of organizations and sectors.
We're not seeing evidence that they are even yet really focused outside of the Middle East.
even yet really focus outside of the Middle East,
that organizations that are getting caught up in their activity right now appear to be organizations that also do work in the Middle East
or have some interests there.
Almost every country on Earth, or many, many countries,
have oil and gas interests in the Gulf.
And because they do business there, they are falling into this net. That's how we
ended up with situations where South Korea was also affected. Defense, it's not that dissimilar
either. Defense companies throughout the world do business in the region. They provide arms and
capability to Saudi Arabia and other nations. Iran has an interest in surveilling those capabilities,
building up their own indigenous capabilities. And so what are your recommendations for
organizations to protect themselves against this? I think that there are two things. One,
this is the opportunity. So we're seeing these actors, or we've identified these actors,
we've identified their TTPs. Now, they are focused regionally, but this is something that we've identified these actors, we've identified their TTPs. Now they are focused
regionally, but this is something that we've seen again and again. These regionally focused actors
become global problems. If you are already doing business in the Middle East, you should be taking
a really hard look at the actor, particularly their TQPs, looking at your organization and
seeing if you're prepared for things like this Alpha Team show, which you could conceivably get
your hands on and try out yourself. If you are not doing business in the Middle East,
maybe you're not in the defense organization or you're not a petrochemical organization,
you probably should start thinking about if things change or if the circumstances
change, would you be at risk to a disruptive or destructive attack? Oftentimes, a lot of the
espionage activity falls into the public sector sphere or defense industrial base, which is sort
of quasi public sector. When we start talking about destructive and disruptive attack,
a lot of the targets are private industry. So this is an opportunity to start more gaming that
possibility and thinking about preparations and asking your organization if they're prepared for
something like that. Our thanks to John Hulquist from FireEye for joining us.
You can find the complete report on APT33 on FireEye's website.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner. Thanks for listening.