Iranian Threat Actor “APT33” Targets Saudi Organizations (Jun 26, 2019)
Inskit and Recorded Futures researchers suspect that Iranian state-sponsored threat group “APT33,” also known as “Elfin,” or a closely aligned threat actor, continue to conduct and prepare for a widespread cyberespionage campaign. Since March 28, 2019, over 1,200 domains have been used to target mainly Saudi Arabian organizations across a variety of industries. There appears to be a strong emphasis on using commodity malware, which is an attractive option for nation-state threat actors who wish to hinder attribution efforts. Historically, APT33 targeting has focused on the aerospace and defense industries, as well as the oil and gas industry, with a strong focus on companies based in Saudi Arabia. According to the Recorded Futures researchers, a preliminary analysis identified 1,252 unique, correlated domains likely administered by the same APT33 attackers behind an APT33 campaign documented in March 2019 by Symantec.
Recommendation: Western and Saudi Arabian organizations in industries that have been historically targeted by APT33 should be monitoring geopolitical developments. Organizations should increase scrutiny of operational security controls focusing on detection and remediation of initial unauthorized access, specifically from phishing campaigns and third-party relationships. Additionally, real-time security intelligence should be used to improve hunting in internal networks.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.