The threat group regularly referred to as APT33 is known to target the oil and aviation industries aggressively, Trend Micro revealed. This threat group has been reported on consistently for years, but recent findings show that the group has been using about a dozen live Command and Control (C&C) servers for extremely narrow targeting.
APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.
The group puts up multiple layers of obfuscation to run these C&C servers in extremely targeted malware campaigns against organizations in the Middle East, the U.S., and Asia.
“We believe these botnets, each comprising a small group of up to a dozen infected computers, are used to gain persistence within the networks of select targets,” Trend Micro wrote in a post this week.
The malware is rather basic, and has limited capabilities that include downloading and running additional malware. Among active infections in 2019 are two separate locations of a private American company that offers services related to national security, victims connecting from a university and a college in the U.S., a victim most likely related to the U.S. military, and several victims in the Middle East and Asia.
APT33 has also been executing more aggressive attacks over the past few years. For example, for at least two years the group used the private website of a high-ranking European politician (a member of the country’s defense committee) to send spear phishing emails to companies that are part of the supply chain of oil products. Targets included a water facility that is used by the U.S. army for the potable water supply of one of its military bases.
These attacks have likely resulted in concrete infections in the oil industry. For example, in the fall of 2018, Trend Micro observed communications between a U.K.-based oil company with computer servers in the U.K. and India and an APT33 C&C server.
Another European oil company suffered from an APT33 related malware infection on one of their servers in India for at least three weeks in November and December last year. There were several other companies in oil supply chains that had been compromised in the fall of 2018 as well. These compromises indicate a big risk to companies in the oil industry, as APT33 is known to use destructive malware.
No comments:
Post a Comment