Group: APT33, Elfin, MAGNALLIUM
|APT33, Elfin, MAGNALLIUM|
|Associated Groups||APT33, Elfin, MAGNALLIUM|
|External Contributors||Dragos Threat Intelligence|
APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.1
Associated Group Descriptions
- APT33 - Fireeye noted a potential link between APT33 and Shamoon based on similar dropper malware, "DROPSHOT".2
- Elfin - Symantec mentioned a potential link between Elfin and Shamoon based on such close occurances of the attacks within a particular organization 3
- MAGNALLIUM - 4
- Screen Capture - APT33 utilize backdoors capable of capturing screenshots once installed on a system.25
- Scripting - APT33 utilized PowerShell scripts to establish command and control and install files for execution.34
- Spearphishing Attachment - APT33 sent spear phishing emails containing links to HTML application files, which were embedded with malicious code.2 APT33 has conducted targeted spear phishing campaigns against U.S. government agencies and private sector companies.6
- Enterprise ATT&CK. (n.d.). APT33. Retrieved October 27, 2019.
- Jacqueline O'Leary et al.. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved December 2, 2019.
- Symantec. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved December 2, 2019.