Advanced Persistent Threat 33 (APT33) is a hacker group identified byFireEye as being supported by thegovernment of Iran.[1][2] The group has also been calledElfin Team,Refined Kitten (byCrowdstrike),Magnallium (by Dragos),Peach Sandstorm,[3] andHolmium (byMicrosoft).[4][5][6]
FireEye believes that the group was formed no later than 2013.[1]
APT33 has reportedly targetedaerospace,defense andpetrochemical industry targets in theUnited States,South Korea, andSaudi Arabia.[1][2]
APT33 reportedly uses adropper program designated DropShot, which can deploy awiper called ShapeShift, or install abackdoor called TurnedUp.[1] The group is reported to use the ALFASHELL tool to sendspear-phishing emails loaded with maliciousHTML Application files to its targets.[1][2]
APT33 registered domains impersonating many commercial entities, includingBoeing, Alsalam Aircraft Company,Northrop Grumman andVinnell.[2]
FireEye andKaspersky Lab noted similarities between the ShapeShift andShamoon, anothervirus linked to Iran.[1] APT33 also usedFarsi in ShapeShift and DropShot, and was most active duringIran Standard Time business hours, remaining inactive on the Iranian weekend.[1][2]
One hacker known by thepseudonym of xman_1365_x was linked to both the TurnedUp tool code and the Iranian Nasr Institute, which has been connected to theIranian Cyber Army.[7][1][2][8] xman_1365_x has accounts on Iranian hacker forums, including Shabgard and Ashiyane.[7]
Included in a piece of non-public malware APT33 uses called TURNEDUP is the username "xman_1365_x." xman has accounts on a selection of Iranian hacking forums, such as Shabgard and Ashiyane, although FireEye says it did not find any evidence to suggest xman was formally part of those site's hacktivist groups. In its report, FireEye links xman to the "Nasr Institute," a hacking group allegedly controlled by the Iranian government.
FireEye found some ties between APT33 and the Nasr Institute - which other experts have connected to the Iranian Cyber Army, an offshoot of the Revolutionary Guards - but it has yet to find any links to a specific government agency, Hultquist said.