HOME

TheInfoList



Click Here for Items Related To - Elfin Team
OR:
Elfin Team on:   [Wikipedia]   [Google]   [Amazon]

Advanced Persistent Threat 33 (APT33) is a hacker group identified by
FireEye Trellix (formerly FireEye and McAfee Enterprise) is a privately held cybersecurity company that was founded in 2022. It provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and ana ...
as being supported by the
government of Iran The Government of the Islamic Republic of Iran (), known simply as ''Nezam'' (), is the ruling State (polity), state and current political system in Iran, in power since the Iranian Revolution and fall of the Pahlavi dynasty in 1979. Its Const ...
. The group has also been called Elfin Team, Refined Kitten (by
Crowdstrike CrowdStrike Holdings, Inc. is an American cybersecurity technology company based in Austin, Texas. It provides endpoint security, threat intelligence, and cyberattack response services. The company has been involved in investigations of seve ...
), Magnallium (by Dragos), Peach Sandstorm, and Holmium (by
Microsoft Microsoft Corporation is an American multinational corporation and technology company, technology conglomerate headquartered in Redmond, Washington. Founded in 1975, the company became influential in the History of personal computers#The ear ...
). It is categorzied as an
Advanced persistent threat An advanced persistent threat (APT) is a stealthy threat actor, typically a State (polity), state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the ...
.


History

FireEye believes that the group was formed no later than 2013.


Targets

APT33 has reportedly targeted
aerospace Aerospace is a term used to collectively refer to the atmosphere and outer space. Aerospace activity is very diverse, with a multitude of commercial, industrial, and military applications. Aerospace engineering consists of aeronautics and astron ...
,
defense Defense or defence may refer to: Tactical, martial, and political acts or groups * Defense (military), forces primarily intended for warfare * Civil defense, the organizing of civilians to deal with emergencies or enemy attacks * Defense industr ...
and
petrochemical Petrochemicals (sometimes abbreviated as petchems) are the chemical products obtained from petroleum by refining. Some chemical compounds made from petroleum are also obtained from other fossil fuels, such as coal or natural gas, or renewable s ...
industry targets in the
United States The United States of America (USA), also known as the United States (U.S.) or America, is a country primarily located in North America. It is a federal republic of 50 U.S. state, states and a federal capital district, Washington, D.C. The 48 ...
,
South Korea South Korea, officially the Republic of Korea (ROK), is a country in East Asia. It constitutes the southern half of the Korea, Korean Peninsula and borders North Korea along the Korean Demilitarized Zone, with the Yellow Sea to the west and t ...
, and
Saudi Arabia Saudi Arabia, officially the Kingdom of Saudi Arabia (KSA), is a country in West Asia. Located in the centre of the Middle East, it covers the bulk of the Arabian Peninsula and has a land area of about , making it the List of Asian countries ...
.


Modus operandi

APT33 reportedly uses a
dropper An eye dropper, also called Pasteur pipette or simply dropper, is a device used to transfer small quantities of liquids. They are used in the laboratory and also to dispense small amounts of liquid medicines. A very common use is to dispense eye ...
program designated DropShot, which can deploy a wiper called ShapeShift, or install a
backdoor A back door is a door in the rear of a building. Back door may also refer to: Arts and media * Back Door (jazz trio), a British group * Porta dos Fundos (literally “Back Door” in Portuguese) Brazilian comedy YouTube channel. * Works so tit ...
called TurnedUp. The group is reported to use the ALFASHELL tool to send
spear-phishing Phishing is a form of social engineering and a scam where attackers deceive people into revealing sensitive information or installing malware such as viruses, worms, adware, or ransomware. Phishing attacks have become increasingly sophisticate ...
emails loaded with malicious
HTML Application An HTML Application (HTA) is a Microsoft Windows program whose source code consists of HTML, Dynamic HTML, and one or more scripting languages supported by Internet Explorer, such as VBScript or JScript. The HTML is used to generate the user in ...
files to its targets. APT33 registered domains impersonating many commercial entities, including
Boeing The Boeing Company, or simply Boeing (), is an American multinational corporation that designs, manufactures, and sells airplanes, rotorcraft, rockets, satellites, and missiles worldwide. The company also provides leasing and product support s ...
, Alsalam Aircraft Company,
Northrop Grumman Northrop Grumman Corporation is an American multinational Aerospace manufacturer, aerospace and Arms industry, defense company. With 97,000 employees and an annual revenue in excess of $40 billion, it is one of the world's largest Arms industry ...
and
Vinnell The Vinnell Corporation is an international private military company based in Herndon, Virginia, United States, specializing in military training, logistics, and support in the form of weapon systems maintenance and management consultancy. Vinn ...
.


Identification

FireEye and
Kaspersky Lab Kaspersky Lab (; ) is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in the United Kingdom. It was founded in 1997 by Eugene Kaspersky, Natalya Kaspersky a ...
noted similarities between the ShapeShift and
Shamoon Shamoon (), also known as W32.DistTrack, is a modular computer virus that was discovered in 2012, targeting then-recent 32-bit architecture of Windows NT, NT kernel versions of Microsoft Windows. The virus was notable due to the destructive nature ...
, another
virus A virus is a submicroscopic infectious agent that replicates only inside the living Cell (biology), cells of an organism. Viruses infect all life forms, from animals and plants to microorganisms, including bacteria and archaea. Viruses are ...
linked to Iran. APT33 also used
Farsi Persian ( ), also known by its endonym Farsi (, Fārsī ), is a Western Iranian language belonging to the Iranian branch of the Indo-Iranian subdivision of the Indo-European languages. Persian is a pluricentric language predominantly spoke ...
in ShapeShift and DropShot, and was most active during
Iran Standard Time Iran Standard Time (IRST) or Iran Time (IT) is the time zone used in Iran. Iran uses a UTC offset UTC+03:30. IRST is defined by the 52.5 degrees east meridian, the same meridian which defines the Iranian calendar and is the official meridian of ...
business hours, remaining inactive on the Iranian weekend. One hacker known by the
pseudonym A pseudonym (; ) or alias () is a fictitious name that a person assumes for a particular purpose, which differs from their original or true meaning ( orthonym). This also differs from a new name that entirely or legally replaces an individual's o ...
of xman_1365_x was linked to both the TurnedUp tool code and the Iranian Nasr Institute, which has been connected to the Iranian Cyber Army. xman_1365_x has accounts on Iranian hacker forums, including Shabgard and Ashiyane.


See also

* Charming Kitten


References

{{Hacking in the 2010s Cyberwarfare Iranian advanced persistent threat groups