Sciextor

APT 33

APT 33 is a hacker group that is believed to be supported by the government of Iran.

They have been conducting cyber espionage operations since at least 2013, targeting the aviation, energy, and petrochemical sectors in the United States, Saudi Arabia, and other countries.

Some of their aliases are Elfin Team, Refined Kitten, Magnallium, and Holmium.

History

• APT 33 first became active in late 2015 or early 2016, and has been involved in a three-year campaign against multiple firms in the United States and Saudi Arabia
• APT 33 reportedly uses a dropper program called DropShot, which can deploy a wiper called ShapeShift, or install a backdoor called TurnedUp. The group also uses the ALFASHELL tool to send spear-phishing emails loaded with malicious HTML Application files to its targets
• APT 33 registered domains impersonating many commercial entities, including Boeing, Alsalam Aircraft Company, Northrop Grumman and Vinnell
• APT 33 has been linked to the destructive Shamoon malware attacks on several companies in the Middle East and Europe in 2016 and 2017
• APT 33 also used Farsi in ShapeShift and DropShot, and was most active during Iran Standard Time business hours, remaining inactive on the Iranian weekend
• One hacker known by the pseudonym of xman_1365_x was linked to both the TurnedUp tool code and the Iranian Nasr Institute, which has been connected to the Iranian Cyber Army, an offshoot of the Revolutionary Guards. xman_1365_x has accounts on Iranian hacker forums, such as Shabgard and Ashiyane.