NCRI Staff
NCRI – An Iranian hacking group has been caught targeting Saudi Arabia’s energy and aviation sectors, according to a cyber security firm.
FireEye, a cybersecurity vendor, revealed that a hacking group with ties to the Iranian Regime, known as APT33, has been responsible for cyber espionage operations targeting Saudi petrochemical and aviation sectors since at least 2013.
This information comes from a recent investigation by FireEye Mandiant incident response consultants and analysis from FireEye iSIGHT Threat Intelligence, which uncovered information on APT33’s actions, abilities, and potential incentives.
According to a statement from FireEye, APT33 hacked a number of businesses between 2016 and 2017. They compromised the security of a US company in the aviation sector and through them targeted a Saudi Arabian aviation firm, hacked a South Korean company involved in oil refining and petrochemicals, and targeted a Saudi Arabian and a South Korean business by using malware disguised as a job application for a Saudi Arabian petrochemical company.
FireEye analysts believe that the Saudi Arabian companies were targeted in order to complete corporate espionage into regional rivals, while the targeting of South Korean companies may be due to South Korea’s various partnerships with Iranian companies in the petrochemical industry as well as South Korea’s relationships with Saudi Arabian petrochemical companies.
FireEye believes that APT33 targeted these organisations in order to help the Iranian Regime its own petrochemical production and improve its competitiveness within the region.
These emails, known as spear phishing emails, were sent to people who worked in or worked closely with the aviation industry. When the recipient opened the email, or clicked on a link, malicious HTML application files would download onto their computer.
However, as the links would indeed lead to legitimate job postings, the person would be none the wiser.
Another tactic used by APT33 was to register multiple domains that would masquerade as Saudi Arabian aviation companies and Western organisations, which provide training, maintenance and support for both Saudi Arabia’s military and commercial fleet.
The person opening the links would believe that they were coming from a trusted source.
The reason that FireEye experts suspect that the Iranian Regime is heavily involved in the hacking is that APT33’s targeting of companies involved in aviation and energy, closely aligns with the interests of Iran’s ruling elite.
Other indications include, the fact that the timing of these operations also lines up with Iranian working hours and the hacks use multiple Iranian hacker tools.
