Iranian hackers have made the most digital subversion in the last decade, destroying entire computer networks in the Middle East and sometimes in waves of cyber attack in the United States. But now it appears that one of Iran’s most active pirate groups has shifted focus. Instead of just standard IT networks, it targets physical control systems used in electrical facilities, manufacturing, and oil refining.
change in the activity of the Iranian hacker group APT33, Holmium, Refined also known as. Kitten, or small. Microsoft has observed that the group has been carrying out so-called password-spray attacks over the past year that are trying to use some common passwords in user accounts in thousands of organizations.
It is generally considered a random form of piracy. But in the last two months, Microsoft says that APT33 has limited its password processing to around 2,000 organizations per month, while the number of targeted accounts in each of these organizations has increased tenfold on average.
Microsoft has classified these targets according to the number of hackers who attempted to hack them; Moran states that nearly half of the first 25 were from manufacturers, suppliers or maintenance of industrial control system equipment. All in all, Microsoft says it has seen dozens of industrial hardware and software companies target APT33 since mid-October.
The motives of the hackers – and the industrial control systems they have already broken – are unclear. Moran speculates that the group is seeking a foothold to carry out cyber attacks with physical effects. They want to give some pain to the critical infrastructure of a person who uses these control systems . ”
This innings represents a worrying move especially for APT33, given its history. Although Moran states that Microsoft has not seen direct evidence that the APT33 carried out a devastating cyber attack rather than merely espionage or reconnaissance, it has seen incidents in which the group at least laid the basis for those attacks.
Moran says the group’s fingerprints have appeared in several intrusions, where victims have since been infected with a piece of malware to erase data called shamoon. McAfee warned last year that the APT33 – or a group pretending to be APT33 – hedged – was publishing a new version of Shamoon in a series of data-destroying attacks. FireEye Threat Risk The company has warned since 2017 that APT33 has links to another piece of destructive code known as Shapeshifar.
Moran declined the names of any specific industrial control systems, ICs, companies or products targeted by APT33 hackers. But he warns that the goal of a group of these control systems is to demonstrate that Iran may want to go beyond just wiping computers in its cyber attack.
We can expect physical infrastructure to be affected. These attacks are rare in the history of state-sponsored theft, but its effects are disturbed; In 2009 and 2010, the United States and Israel jointly issued a piece of code known as Stuxnet, for example, that destroyed Iran’s centrifuges for nuclear enrichment. In December 2016, Russia used a piece of malware known as indestroyer or crash override for a short period of blackouts in the Ukrainian capital Kiev.
Unknown hackers published a piece of malware known as Triton or Trisis at a Saudi oil refinery in 2017, aiming to disrupt security systems. Some of these attacks – particularly the Triton – have the potential to cause physical harm, which threatens the safety of individuals within targeted facilities.
Iran is not publicly associated with any ICS attack. But Microsoft’s new goal suggests that it can develop these capabilities.
But Adam Myers, vice president of intelligence for security firm CrowdStrike, warns against reading too much into the new focus for APT33. It can easily focus on espionage. energy companies rely on it,” says Myers.