Introduction
APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors. FireEye APT33 Sept 2017 FireEye APT33 Webinar Sept 2017
Activities and Tactics
Targeted Sectors: Private sector
Country of Origin: ๐ฎ๐ท Iran
Risk Level: High
Incident Type: Espionage
Suspected Victims: United States, Saudi Arabia, South Korea
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
- T1552.001 Credentials In Files
- T1003.005 Cached Domain Credentials
- T1560.001 Archive via Utility
- T1555.003 Credentials from Web Browsers
- T1552.006 Group Policy Preferences
- T1027.013 Encrypted/Encoded File
- T1566.001 Spearphishing Attachment
- T1003.001 LSASS Memory
- T1566.002 Spearphishing Link
- T1110.003 Password Spraying
- T1003.004 LSA Secrets
- T1053.005 Scheduled Task
- T1555 Credentials from Password Stores
- T1546.003 Windows Management Instrumentation Event Subscription
- T1105 Ingress Tool Transfer
- T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol
- T1588.002 Tool
- T1040 Network Sniffing
- T1071.001 Web Protocols
- T1059.001 PowerShell
- T1547.001 Registry Run Keys / Startup Folder
- T1078 Valid Accounts
- T1573.001 Symmetric Cryptography
- T1059.005 Visual Basic
- T1132.001 Standard Encoding
- T1571 Non-Standard Port
- T1078.004 Cloud Accounts
- T1203 Exploitation for Client Execution
- T1204.002 Malicious File
- T1204.001 Malicious Link
- T1068 Exploitation for Privilege Escalation
- T0852 Screen Capture
- T0865 Spearphishing Attachment
- T0853 Scripting
ATT&CK technique IDs (denormalized)
- T0852
- T0853
- T0865
- T1003.001
- T1003.004
- T1003.005
- T1027.013
- T1040
- T1048.003
- T1053.005
- T1059.001
- T1059.005
- T1068
- T1071.001
- T1078
- T1078.004
- T1105
- T1110.003
- T1132.001
- T1203
- T1204.001
- T1204.002
- T1546.003
- T1547.001
- T1552.001
- T1552.006
- T1555
- T1555.003
- T1560.001
- T1566.001
- T1566.002
- T1571
- T1573.001
- T1588.002
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
- CyberGate
- Cyber Eye RAT
MITRE ATT&CK Software
- PowerSploit (S0194) โ tool
- AutoIt backdoor (S0129) โ malware
- PoshC2 (S0378) โ tool
- Ruler (S0358) โ tool
- Mimikatz (S0002) โ tool
- NanoCore (S0336) โ malware
- DEADWOOD (S1134) โ malware
- StoneDrill (S0380) โ malware
- POWERTON (S0371) โ malware
- LaZagne (S0349) โ tool
- TURNEDUP (S0199) โ malware
- NETWIRE (S0198) โ malware
- Net (S0039) โ tool
- Pupy (S0192) โ tool
- Empire (S0363) โ tool
- ftp (S0095) โ tool
Attribution and Evidence
Country of Origin: Iran Additional attribution information pending cataloguing.
References
[1] mitre-attack [6] FireEye APT33 Webinar Sept 2017 Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018. [7] Microsoft Threat Actor Naming July 2023 Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023. [8] Microsoft Holmium June 2020 Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020. [9] FireEye APT33 Sept 2017 OโLeary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018. [10] Symantec Elfin Mar 2019 Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.