Secret Iranian Network Behind ‘Aggressive’ U.S. Cyberattacks Exposed In New Report

The Iranian hacking group behind a Microsoft Outlook attack earlier this year that prompted a U.S. Cyber Command warning is back in the news. The U.S. government has warned of an increasing threat from Iran as tensions escalate in the Gulf. Iran doesn’t have the same level of cyber weaponry used by threat groups in Russia and China, but it has proven very adept at attacks on civilian and critical infrastructure—targets that are less hardened than government or military agencies. Now a report from Trend Micro has exposed the use of a dedicated virtual private network by one “aggressive” Iranian hacking group to hit targets while keeping its activities secret.

The group in question is APT33, also referred to as Elfin. Best known for the Shamoon attack on Saudi Aramco, APT33 is responsible for other targeted attacks on the oil and gas industry in the U.S. and Middle East, as well as hacks on various parts of the security industry. Trend Micro reports that APT33 has honed its methods to attack the oil and gas industry, as well as a variety of seemingly unrelated targets that one can assume have arisen as a result of tasking from Teheran.

Although APT33’s malware attacks this year have included “a private American company that offers services related to national security, victims connecting from a university and a college in the U.S., a victim most likely related to the U.S. military, and several victims in the Middle East and Asia,” the group always returns to its core oil and gas focus. And these attacks have become “more aggressive,”comprising “a big risk to companies in the oil industry, as APT33 is known to use destructive malware.”

APT33 has been taking greater care to mask its activities, with its command and control (C&C) servers hidden behind proxies and the use of bots that are mixed with masses of normal internet traffic to make detection more difficult. In this way, APT33—and other threat groups—take advantage of the way the web is used by legitimate organisations to hide in plain sight. APT33 has gone further, though, according to this latest report, with the use of a private VPN “to hide its whereabouts when administering C&C servers and doing reconnaissance.”

Trend Micro reports that APT33 has opted to set up its own VPN, rather than using a commercial service. Both options have been used by nation-state threat actors. The team says it has tracked “some of the group’s private VPN exit nodes for more than a year—but it is likely the IP addresses have been used for a longer time.” Ironically, the use of a private VPN has made APT33’s traffic easier to track. Trend Micro has detected “the reconnaissance of networks that are relevant to the supply chain of the oil industry... and reconnaissance on the network of an oil exploration company and military hospitals in the Middle East, as well as an oil company in the U.S.”

Interestingly, APT33 has also used its private VPN “to access websites of penetration testing companies, webmail, websites on vulnerabilities, and websites related to cryptocurrencies, as well as to read hacker blogs and forums.” And with its core remit in mind, it has mined recruitment sites that place employees into multiple oil and gas companies. We have seen increasing use of recruitment and HR covers for spear phishing attacks on controlled, restricted and strategic industries.

Earlier this year, the Cybersecurity and Infrastructure Security Agency (CISA) within the DHS issued a blanket warning about a"recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies.” And there was a similar warning from the NSA that "there have been serious issues with malicious Iranian cyber actions in the past. In these times of heightened tensions, it is appropriate for everyone to be alert to signs of Iranian aggression in cyberspace and ensure appropriate defences are in place."

Trend Micro advises the usual patching discipline in target industries, which with the increasing exposure of IoT devices as entry points means more than just core systems, networks and client PCs. With almost all attacks now relying on a malicious or naive insider action, there is also a call for employe training and awareness as well as advanced cyber defences around networks, including the use of multilayered security.

Iran has identified the cyber sphere as a rich hunting ground, one in which it can inflict serious damage on key targets. This latest report provides yet another warning as to the increasing levels of sophistication being deployed and the need to multiple strategic industries to step up their defences and employee training.