Check out all of our upcoming events


Latest cybersecurity news, insights and commentary by Telesoft engineers and specialists

The APT Series Part 2 'APT33'

on Friday, 11 October 2019. Posted in Cyber

The APT Series Part 2  'APT33'

The Elfin team are more commonly known as APT33 (they also go by other names like Refined Kitten, Magnallium and Holmium) and have been identified to be supported and sponsored by the Iran Government. APT33have been operating since 2013.

Who do they target?

APT33 have shown interest in a wide range of organisations that have headquarters in Saudi Arabia and South Korea, with a particular taste for targets in the aviation sector (both military and commercial), as well as organisations in the energy sector with ties to oil and gas production. The underlying motive for the selection of target seems to mirror Iranian Government areas of interest and desired expansion.

Notable attack history?

Mid 2016 to early 2017:

APT33 breached a U.S. organisation in the aerospace industry and targeted a conglomerate located in Saudi Arabia with ties to the same sector.

At around the same time a suspected APT33 attack was directed at a Saudi organisation and a South Korean business conglomerate using a file that brought victims in with job vacancies for a Saudi Arabian oil and gas company.

What are their methods and TTPs?

Spear phishing:

A recently utilised methodology of the group is spear phishing, illustrated when thousands of targeted emails were sent to employees within the target company containing links to nefarious HTML application (.hta) files. The .hta files displayed legitimate job postings on popular websites tailored to the individual target. Unbeknown to the victim, the file would also contain embedded PowerShell code that would download a custom backdoor.

Domain masquerading:

APT33 have registered multiple ‘similar looking’ domains that are close to Saudi Arabian companies and western partnerships. It is likely that these were used in the above spear phishing attacks.

Other capabilities and tactics:

APT33 have been identified as using…

  • DROPSHOT – a dropper that can be used to drop and launch other malicious programs, in this case the TURNEDUP backdoor and the SHAPESHIFT wiper malware.
  • Nanocore RAT – a remote access trojan that’s available publicly.
  • NetWire – a backdoor that is used to steal credentials from the local machine, this too is publicly available.
  • TURNEDUP – a backdoor capable of creating reverse shells, taking screenshots, gathering system information and uploading and downloading files.

In summary?

Seeing an attacker enables you to defend against them, a way to effect this is to lay over the physical network and its traffic the information and intelligence obtained from previous attackers or attacks. This tactic is strengthened by combining Open Source Intelligence (OSINT), derived intelligence and calculating behavioural patterns, methodologies and ultimately the optimal machine and human responses to optimally mitigate current and future attack campaigns.

Deriving intelligence can be done with multiple tools and in multiple ways. One such way is to utilise high visibility of traffic flows by using a network traffic probe, combined with an integrated IDS system that can identify malicious packets and flows, whilst storing the raw activity of targets of interest for deep forensics. The output from these tools can then be passed to a platform that allows packet and flow level forensic investigation which then can be filtered and further analysed to build up a pattern of attacks and even describe campaigns and attacker capability.

Leave a comment

You are commenting as guest.

Information cookies

Cookies are short reports that are sent and stored on the hard drive of the user's computer through your browser when it connects to a web. Cookies can be used to collect and store user data while connected to provide you the requested services and sometimes tend not to keep. Cookies can be themselves or others.

There are several types of cookies:

  • Technical cookies that facilitate user navigation and use of the various options or services offered by the web as identify the session, allow access to certain areas, facilitate orders, purchases, filling out forms, registration, security, facilitating functionalities (videos, social networks, etc..).
  • Customization cookies that allow users to access services according to their preferences (language, browser, configuration, etc..).
  • Analytical cookies which allow anonymous analysis of the behavior of web users and allow to measure user activity and develop navigation profiles in order to improve the websites.

So when you access our website, in compliance with Article 22 of Law 34/2002 of the Information Society Services, in the analytical cookies treatment, we have requested your consent to their use. All of this is to improve our services. We use Google Analytics to collect anonymous statistical information such as the number of visitors to our site. Cookies added by Google Analytics are governed by the privacy policies of Google Analytics. If you want you can disable cookies from Google Analytics.

However, please note that you can enable or disable cookies by following the instructions of your browser.