HOME

TheInfoList



Click Here for Items Related To - Elfin Team
OR:
Elfin Team on:   [Wikipedia]   [Google]   [Amazon]

Advanced Persistent Threat 33 (APT33) is a hacker group identified by
FireEye Trellix (formerly FireEye and McAfee Enterprise) is a privately held cybersecurity company founded in 2022. It has been involved in the detection and prevention of major cyber attacks. It provides hardware, software, and services to investigat ...
as being supported by the
government of Iran The Government of the Islamic Republic of Iran ( fa, نظام جمهوری اسلامی ایران, Neẓām-e jomhūrī-e eslāmi-e Irān, known simply as ''Neẓām'' ( fa, نظام, lit=the system) among its supporters) is the ruling state a ...
. The group has also been called Refined Kitten (by
Crowdstrike CrowdStrike Holdings, Inc. is an American cybersecurity technology company based in Austin, Texas. It provides cloud workload and endpoint security, threat intelligence, and cyberattack response services. The company has been involved in inves ...
), Magnallium (by Dragos), and Holmium (by
Microsoft Microsoft Corporation is an American multinational corporation, multinational technology company, technology corporation producing Software, computer software, consumer electronics, personal computers, and related services headquartered at th ...
).


History

FireEye believes that the group was formed no later than 2013.


Targets

APT33 has reportedly targeted
aerospace Aerospace is a term used to collectively refer to the atmosphere and outer space. Aerospace activity is very diverse, with a multitude of commercial, industrial and military applications. Aerospace engineering consists of aeronautics and astrona ...
, defense and
petrochemical Petrochemicals (sometimes abbreviated as petchems) are the chemical products obtained from petroleum by refining. Some chemical compounds made from petroleum are also obtained from other fossil fuels, such as coal or natural gas, or renewable ...
industry targets in the
United States The United States of America (U.S.A. or USA), commonly known as the United States (U.S. or US) or America, is a country primarily located in North America. It consists of 50 U.S. state, states, a Washington, D.C., federal district, five ma ...
,
South Korea South Korea, officially the Republic of Korea (ROK), is a country in East Asia, constituting the southern part of the Korea, Korean Peninsula and sharing a Korean Demilitarized Zone, land border with North Korea. Its western border is formed ...
, and
Saudi Arabia Saudi Arabia, officially the Kingdom of Saudi Arabia (KSA), is a country in Western Asia. It covers the bulk of the Arabian Peninsula, and has a land area of about , making it the List of Asian countries by area, fifth-largest country in Asia ...
.


Modus operandi

APT33 reportedly uses a dropper program designated DropShot, which can deploy a wiper called ShapeShift, or install a
backdoor A back door is a door in the rear of a building. Back door may also refer to: Arts and media * Back Door (jazz trio), a British group * Porta dos Fundos (literally “Back Door” in Portuguese) Brazilian comedy YouTube channel. * Works so titl ...
called TurnedUp. The group is reported to use the ALFASHELL tool to send
spear-phishing Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwar ...
emails loaded with malicious HTML Application files to its targets. APT33 registered domains impersonating many commercial entities, including
Boeing The Boeing Company () is an American multinational corporation that designs, manufactures, and sells airplanes, rotorcraft, rockets, satellites, telecommunications equipment, and missiles worldwide. The company also provides leasing and ...
, Alsalam Aircraft Company,
Northrop Grumman Northrop Grumman Corporation is an American multinational aerospace and defense technology company. With 90,000 employees and an annual revenue in excess of $30 billion, it is one of the world's largest weapons manufacturers and military tec ...
and
Vinnell The Vinnell Corporation is an international private military company based in Herndon, Virginia, United States, specializing in military training, logistics, and support in the form of weapon systems maintenance and management consultancy. Vinne ...
.


Identification

FireEye and
Kaspersky Lab Kaspersky Lab (; Russian language, Russian: Лаборатория Касперского, Romanization of Russian, tr. ''Laboratoriya Kasperskogo'') is a Russian Multinational corporation, multinational cybersecurity and anti-virus provider head ...
noted similarities between the ShapeShift and Shamoon, another
virus A virus is a wikt:submicroscopic, submicroscopic infectious agent that replicates only inside the living Cell (biology), cells of an organism. Viruses infect all life forms, from animals and plants to microorganisms, including bacteria and ...
linked to Iran. APT33 also used
Farsi Persian (), also known by its endonym Farsi (, ', ), is a Western Iranian language belonging to the Iranian branch of the Indo-Iranian subdivision of the Indo-European languages. Persian is a pluricentric language predominantly spoken and u ...
in ShapeShift and DropShot, and was most active during
Iran Standard Time Iran Standard Time (IRST) or Iran Time (IT) is the time zone used in Iran. Iran uses a UTC offset UTC+03:30. IRST is defined by the 52.5 degrees east meridian, the same meridian which defines the Iranian calendar and is the official meridian o ...
business hours, remaining inactive on the Iranian weekend. One hacker known by the
pseudonym A pseudonym (; ) or alias () is a fictitious name that a person or group assumes for a particular purpose, which differs from their original or true name (orthonym). This also differs from a new name that entirely or legally replaces an individua ...
of xman_1365_x was linked to both the TurnedUp tool code and the Iranian Nasr Institute, which has been connected to the Iranian Cyber Army. xman_1365_x has accounts on Iranian hacker forums, including Shabgard and Ashiyane.


See also

* Charming Kitten


References

{{Hacking in the 2010s Cyberwarfare Iranian advanced persistent threat groups Hacking (computer security)