Hackers likely working on behalf of the Iranian government have targeted the aviation and petrochemical industries in the U.S., Saudi Arabia and South Korea since 2013, American cybersecurity firm FireEye said Wednesday.
Known as APT33, an acronym for “advanced persistent threat,” the hacking group has targeted several aviation and energy companies in the U.S. and abroad within the last few years in an effort to conduct cyber espionage operations at the behest of the Iranian government, FireEye said in a report.
“APT33’s targeting of organizations involved in aerospace and energy most closely aligns with nation-state interests, implying that the threat actor is most likely government sponsored,” the report said. “This coupled with the timing of operations — which coincides with Iranian working hours — and the use of multiple Iranian hacker tools and name servers bolsters our assessment that APT33 may have operated on behalf of the Iranian government.”
In some instances the hackers sent recruitment-themed emails to aviation industry employees containing files designed to infect victims’ computers upon being opened, occasionally launching their attacks from web addresses mimicking the names of companies including Boeing, Alsalam Aircraft Company and Northrop Grumman, FireEye said.
The hackers managed to go undetected for “four to six months” at a time, The New York Times reported, exfiltrating data while infecting targeted systems with malware capable of wiping disks and deleting files, according to FireEye.
“Based on observed targeting, we believe APT33 engages in strategic espionage by targeting geographically diverse organizations across multiple industries. Specifically, the targeting of organizations in the aerospace and energy sectors indicates that the threat group is likely in search of strategic intelligence capable of benefitting a government or military sponsor,” the report said. “We expect APT33 activity will continue to cover a broad scope of targeted entities, and may spread into other regions and sectors as Iranian interests dictate.”
The Iranian government did not immediately comment publicly on the report, but FireEye executives say they’ve uncovered evidence that all but implicates Tehran.
“Iranian fingerprints are all over this campaign, and government fingerprints in particular,” John Hultquist, FireEye’s director of cyber espionage analysis, told Reuters. “Right now we are seeing a lot of activity that seems to be classic cyber espionage.”
James Clapper, the former U.S. National Intelligence director, said in 2015 that Iran has “lesser technical capabilities but possibly more disruptive intent” than Chinese and Russian state-sponsored hackers, though the State Department’s Overseas Security Advisory Council concluded the following year that Tehran is “rapidly improving its cyber warfare capabilities.”
Iranian hackers have previously been attributed with unleashing Shamoon, a computer virus that infiltrated Saudi Arabian Oil Co. in 2012 and Saudi government computers in late 2016.
The U.S., on its part, reportedly worked with Israeli counterparts to develop Stuxnet, a debilitating worm blamed with breaking thousands of centrifuges after being unleashed in 2011 against Iran’s contested nuclear program.