APT33
APT33 is a suspected Iranian state-sponsored threat group active since at least 2013, known for targeting aerospace, energy, and defense sectors through cyber espionage and potentially destructive operations.
The origin of APT33
PT33, also known as HOLMIUM, COBALT TRINITY, Elfin, Refined Kitten, and Peach Sandstorm, is a state-sponsored Iranian threat group that has been active since at least 2013. The group is suspected to be linked to Iran’s Islamic Revolutionary Guard Corps (IRGC) and is believed to support Iranian strategic objectives by conducting cyber espionage and possibly destructive operations. APT33 is particularly known for its use of spearphishing, custom malware, and public offensive security tools, often leveraging Microsoft technologies to gain access to target environments.
Countries targeted by APT33
APT33 operations have primarily targeted the United States, Saudi Arabia, United Arab Emirates, and South Korea. These countries are politically and economically significant in the Middle East, and often represent opposition to Iranian foreign policy. Cyber activities may also be designed to collect intelligence on critical infrastructure and technological advances.
Industries targeted by APT33
APT33 has focused extensively on organizations in the aerospace, energy, defense, engineering, and industrial sectors. Their interest aligns with Iran’s economic and military objectives, especially around oil and gas infrastructure and defense capabilities of regional adversaries and global competitors.
APT33's victims
Notably, APT33 has targeted U.S. engineering and aerospace firms, Saudi oil and energy conglomerates, and UAE-based critical infrastructure entities. Their operations included both cyber espionage and preparation for potential destructive attacks, such as those linked to the Shamoon malware campaigns, although attribution to APT33 is circumstantial in some cases.
APT33's attack method
APT33 primarily uses spearphishing emails with malicious .hta links, malicious files, or archive attachments. They have also compromised valid accounts, including Office 365 cloud accounts, sometimes via password spraying.
Exploits like CVE-2017-0213 have been used for local escalation. Additionally, they use valid administrative credentials obtained via dumping tools.
Persistence is maintained through registry run keys, startup folder deployments, scheduled tasks, and WMI event subscriptions. APT33 uses encoded payloads (base64), encrypted C2 channels (AES), PowerShell obfuscation, and custom malware frameworks to bypass detection.
Credential harvesting is achieved through tools like LaZagne, Mimikatz, and SniffPass, targeting browser credentials, LSASS memory, GPP passwords, and cached domain credentials.
They use common scripts and tools to enumerate systems, network topology, and account privileges for lateral movement.
Movement between systems is facilitated using harvested credentials, remote desktop protocols, and valid account access.
Sensitive files are archived using tools like WinRAR and may also include screen captures using backdoor implants.
They execute malicious payloads through PowerShell, VBScript, or by tricking users into launching malicious attachments. They’ve also leveraged exploitation of software vulnerabilities such as CVE-2017-11774 and CVE-2018-20250.
Data is exfiltrated via unencrypted FTP, HTTP, and HTTPS channels, sometimes over non-standard ports (808/880) with encoded payloads.
Primarily geared toward espionage, APT33 has the capability for destructive operations, evidenced by links to Shamoon-like behavior, although not conclusively proven.
APT33 primarily uses spearphishing emails with malicious .hta links, malicious files, or archive attachments. They have also compromised valid accounts, including Office 365 cloud accounts, sometimes via password spraying.
Exploits like CVE-2017-0213 have been used for local escalation. Additionally, they use valid administrative credentials obtained via dumping tools.
Persistence is maintained through registry run keys, startup folder deployments, scheduled tasks, and WMI event subscriptions. APT33 uses encoded payloads (base64), encrypted C2 channels (AES), PowerShell obfuscation, and custom malware frameworks to bypass detection.
Credential harvesting is achieved through tools like LaZagne, Mimikatz, and SniffPass, targeting browser credentials, LSASS memory, GPP passwords, and cached domain credentials.
They use common scripts and tools to enumerate systems, network topology, and account privileges for lateral movement.
Movement between systems is facilitated using harvested credentials, remote desktop protocols, and valid account access.
Sensitive files are archived using tools like WinRAR and may also include screen captures using backdoor implants.
They execute malicious payloads through PowerShell, VBScript, or by tricking users into launching malicious attachments. They’ve also leveraged exploitation of software vulnerabilities such as CVE-2017-11774 and CVE-2018-20250.
Data is exfiltrated via unencrypted FTP, HTTP, and HTTPS channels, sometimes over non-standard ports (808/880) with encoded payloads.
Primarily geared toward espionage, APT33 has the capability for destructive operations, evidenced by links to Shamoon-like behavior, although not conclusively proven.
TTPs used by APT33
How to Detect APT33 with Vectra AI
List of the Detections available in the Vectra AI Platform that would indicate a ransomware attack.
FAQs
What is APT33's origin?
APT33 is a suspected Iranian state-sponsored threat group likely linked to the Islamic Revolutionary Guard Corps (IRGC), active since at least 2013.
What industries are targeted by APT33?
They focus on aerospace, energy, defense, engineering, and oil/gas sectors.
Which countries are most affected?
Primary targets include the U.S., Saudi Arabia, UAE, and South Korea.
How does APT33 gain initial access?
Through spearphishing emails with malicious attachments or links, and compromised Office 365 accounts via password spraying.
What malware or tools are associated with APT33?
Common tools include POWERTON, RemCos, DarkComet, PowerShell Empire, LaZagne, Mimikatz, and SniffPass.
Are they linked to any destructive attacks?
While primarily focused on espionage, APT33 has potential links to destructive operations like Shamoon, though attribution remains circumstantial.
How do they maintain persistence?
Using registry keys, scheduled tasks, WMI event subscriptions, and deployment of RATs to startup folders.
How can organizations detect APT33 activity?
Detection requires monitoring for suspicious PowerShell activity, encoded network traffic, WMI abuse, and scheduled script executions. Use of NDR tools is advised.
What mitigations are effective against APT33?
Use MFA, disable macro execution, monitor for unauthorized registry changes, limit PowerShell access, and deploy network segmentation.
What is the group’s strategic objective?
APT33 conducts espionage in support of Iran’s national interests, especially in the Middle East’s energy and defense sectors, with a potential for sabotage if politically expedient.