Elfin Hacking Group Targets Multiple U.S. and Saudi Arabian Firms

apt 33 hacking group

An Iran-linked cyber-espionage group that has been found
targeting critical
infrastructure
, energy and military sectors in Saudi Arabia and
the United States two years ago continues targeting organizations
in the two nations, Symantec reported on Wednesday.

Widely known as APT33, which Symantec calls Elfin,
the cyber-espionage group has been active since as early as late
2015 and targeted a wide range of organizations, including
government, research, chemical, engineering, manufacturing,
consulting, finance, and telecommunications in the Middle East and
other parts of the world.

Symantec started monitoring Elfin’s attacks since the beginning
of 2016 and found that the group has launched a heavily targeted
campaign against multiple organizations with 42% most recent
attacks observed against Saudi Arabia and 34% against the United
States.

Elfin targeted a total of 18 American organizations in the
engineering, chemical, research, energy consultancy, finance, IT
and healthcare sectors over the past three years, including a
number of Fortune 500 companies.

“Some of these U.S. organizations may have been targeted by Elfin
for the purpose of mounting supply chain attacks,” Symantec said in
its blog
post
[2]. “In one instance, a
large U.S. company was attacked in the same month a Middle Eastern
company it co-owns was also compromised.”

Hackers Still Exploiting Recently Discovered WinRAR Flaw

The APT33 group has also been exploiting a recently disclosed,
critical vulnerability (CVE-2018-20250)
in the widely used WinRAR file compression application that lets
attackers silently extract malicious files from a harmless archive
file to a Windows Startup folder, eventually allowing them to
execute arbitrary code on the targeted computer.

The vulnerability was already patched by the WinRAR team last
month but was found actively exploited by
various hacking groups
[4]
and individual hackers immediately after its details and
proof-of-concept (PoC) exploit code went
public
[5].

In the APT33 campaign, the WinRAR exploit was used against a
targeted organization in the chemical sector in Saudi Arabia, where
two of its users received a file via a spear-phishing email that
attempted to exploit the WinRAR vulnerability.

Though Symantec is not the only firm that spotted attacks
exploiting the WinRAR flaw, security firm FireEye also identified[6]
four separate campaigns that have been found exploiting the WinRAR
vulnerability to install password stealers, trojans and other
malicious software.

What’s more? APT33 has deployed a wide range of tools in
its custom malware toolkit including the Notestuk backdoor (aka
TURNEDUP), the Stonedrill Trojan and a malware backdoor written in
AutoIt.

Besides its custom malware, APT33 also used several commodity
malware tools, including Remcos, DarkComet, Quasar RAT, Pupy RAT,
NanoCore, and NetWeird, along with many publicly available hacking
tools, like Mimikatz, SniffPass, LaZagne, and Gpppassword.

APT33/Elfin Links to Shamoon Attacks

In December 2018, the APT33 group was linked to a wave of Shamoon
attacks
targeting the energy sector, one of which infected a
company in Saudi Arabia with the Stonedrill malware used by Elfin.

“One Shamoon victim in Saudi Arabia had recently also been attacked
by Elfin and had been infected with the Stonedrill malware used by
Elfin. Because the Elfin and the Shamoon attacks against this
organization occurred so close together, there has been speculation
that the two groups may be linked,” Symantec said.

“However, Symantec has found no further evidence to suggest
Elfin was responsible for these Shamoon attacks to date. We
continue to monitor the activities of both groups closely.”

In late 2017, cybersecurity company FireEye said it found evidence
that APT33 works on behalf of the Iranian
government
, and that the group has successfully
targeted aviation sector
—both military and commercial—along
with organizations in the energy sector.

Symantec described APT33 as “one of the most active groups
currently operating in the Middle East” targeting a diverse range
of sectors, with “willingness to continually revise its tactics and
find whatever tools it takes to compromise its next set of
victims.”

[1][3][7][8][9]

References

  1. ^
    targeting critical infrastructure
    (thehackernews.com)
  2. ^
    blog post
    (www.symantec.com)
  3. ^
    CVE-2018-20250
    (thehackernews.com)
  4. ^
    exploited by various hacking groups
    (thehackernews.com)
  5. ^
    exploit code went public
    (thehackernews.com)
  6. ^
    identified
    (www.fireeye.com)
  7. ^
    wave of Shamoon attacks
    (thehackernews.com)
  8. ^
    Iranian government
    (thehackernews.com)
  9. ^
    successfully targeted aviation
    sector
    (thehackernews.com)

Read more

Leave a Reply