iTnews

FireEye identifies alleged Iran govt-linked hacking group

By Juha Saarinen, iTnews on Sep 21, 2017 5:32AM
FireEye identifies alleged Iran govt-linked hacking group

APT33 left tracks in malware launched at aviation, energy firms.

Researchers at security vendor FireEye have identified a new hacking group with alleged ties to the Iranian government, and which is currently engaged in cyber espionage operations.

Dubbed Advanced Persistent Threat 33 (APT33) the group sent spearphishing emails purporting to be from Boeing, Northrop Grumman Aviation Arabia, Vinnel Arabia and other companies, using bogus domains.

Aviation and energy companies in the United States, South Korea and Saudi Arabia have been targetted by APT33.

Targets were tricked to click on HTML application files to view links to legitimate job postings.

However, the files also contained Microsoft Windows PowerShell attack scripts, which downloaded a custom APT33 backdoor called TURNEDUP onto the victims' computers.

APT33 made several mistakes in its attacks, including leaving the handle of a person - which FireEye alleged was "tied to an Iranian persona who may have been employed by the Iranian government to conduct cyber threat activity against its adversaries" - in the malware the group deployed.

FireEye researchers found the handle "xman_1365_x" in the file path of many TURNED UP samples, pointing to the user being involved in the development and use of the malware.

The security vendor said "open source reporting links the 'xman_1365_x' actor to the 'Nasr Institute', which is purported to be equivalent to Iran’s 'cyber army' and controlled by the Iranian government."

FireEye said its suspicions that APT33 were Iranian-based were also roused because it appeared to follow Iranian business hours, and used popular hacking tools and domain name servers used by other alleged threat actors from that country.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
apt33 fireye mandiant security shamoon

Partner Content

MSI shows first laptops with Wi-Fi 6E, Nvidia RTX 30 graphics
Partner Content MSI shows first laptops with Wi-Fi 6E, Nvidia RTX 30 graphics
MSI launches innovative new laptops
Partner Content MSI launches innovative new laptops
Improving returns from SD-WAN spending
Sponsored Content Improving returns from SD-WAN spending
NCS expands into Australia in partnership with Optus Enterprise
Sponsored Content NCS expands into Australia in partnership with Optus Enterprise

Sponsored Whitepapers

The risky business of open source
The risky business of open source
Mitigating open source risk in your organisation
Mitigating open source risk in your organisation
How to choose a WAF that's right for you
How to choose a WAF that's right for you
The global telco 5G cloud gaming opportunity
The global telco 5G cloud gaming opportunity
Building a ransomware remediation backup strategy
Building a ransomware remediation backup strategy

Events

  • On-Demand Webinar: How Poly and Microsoft are Embracing Future Work Environments
By Juha Saarinen, iTnews
Sep 21 2017
5:32AM
0 Comments

Related Articles

  • Building wave of ransomware attacks strike US hospitals
  • Reserve Bank of NZ governor apologises for 'serious' data breach
  • Google unravels state-of-art Android and Windows exploit chains
  • Mimecast says hackers hijacked its products
Share on Twitter Share on Facebook Share on LinkedIn Share on Whatsapp Email A Friend

Most Read Articles

Update Chrome or risk remote takeover, US govt warns

Update Chrome or risk remote takeover, US govt warns

Telstra pilots its first neurodiversity recruitment program

Telstra pilots its first neurodiversity recruitment program

Google unravels state-of-art Android and Windows exploit chains

Google unravels state-of-art Android and Windows exploit chains

Accellion hack behind Reserve Bank of NZ data breach

Accellion hack behind Reserve Bank of NZ data breach

You must be a registered member of iTnews to post a comment.
Log In | Register
All rights reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorisation.
Your use of this website constitutes acceptance of nextmedia's Privacy Policy and Terms & Conditions.