A private cybersecurity firm has identified what it says is a hacking group sponsored by the Iranian government that has targeted organizations in the U.S., the Middle East and Asia.
The firm, FireEye, which gathers cyber intelligence and responds to incidents through its Mandiant subsidiary, says in a report out Wednesday that the Iranian hacking group has targeted companies involved in the petrochemical industry and in military and commercial aviation — perhaps seeking an edge in its regional rivalry with Saudi Arabia.
FireEye dubbed the group APT33 — APT stands for "advanced persistent threat" — and says it has hacked targets through spearphishing emails.
"These campaigns demonstrate the depth of Iran's cyber capabilities," said John Hultquist, director of intelligence analysis for FireEye. "Actors like APT33, now narrowly focused on the Middle East, are the tools Iran will reach for if they choose to carry out attacks in the future."
Attributing cyber activity is a matter of detective work. FireEye traced the hackers to Iran in part through a handle, "xman_1365_x," that the firm linked to an Iranian government software engineer.
Read the FireEye's full report here
The report also notes that the hackers' workday appeared to correspond to Iran's time zone, and Iran's Saturday to Wednesday work week.
"APT33's focus on aviation may indicate the group's desire to gain insight into regional military aviation capabilities to enhance Iran's aviation capabilities or to support Iran's military and strategic decision making," the report says.
"Their targeting of multiple holding companies and organizations in the energy sectors align with Iranian national priorities for growth, especially as it relates to increasing petrochemical production. We expect APT33 activity will continue to cover a broad scope of targeted entities, and may spread into other regions and sectors as Iranian interests dictate."
From mid-2016 through early 2017, APT33 compromised an unnamed U.S. aerospace organization, FireEye said, and it targeted a Saudi Arabian company with aviation holdings.
During the same time period, APT33 also targeted a South Korean company involved in oil refining and petrochemicals, the report says.
More recently, in May 2017, APT33 appeared to target a Saudi organization and a South Korean company using a malicious email that attempted to entice victims with job vacancies for a Saudi Arabian petrochemical company.
"We assess the targeting of multiple companies with aviation-related partnerships to Saudi Arabia indicates that APT33 may possibly be looking to gain insights on Saudi Arabia's military aviation capabilities to enhance Iran's domestic aviation capabilities or to support Iran's military and strategic decision making vis a vis Saudi Arabia," the report says.
FireEye found some links in the malware used by APT33 to Shamoon, the name of an Iran-linked cyberattack that wiped out three quarters of the computers at the Saudi oil company in 2012, leaving only a picture of a burning American flag.
Iran is considered one of the West's most dangerous cyber adversaries, along with Russia, China and North Korea.
In a statement presented to the Senate Intelligence Committee in May, Director of National Intelligence Dan Coats said that "Tehran continues to leverage cyber espionage, propaganda and attacks to support its security priorities, influence events and foreign perceptions, and counter threats — including against U.S. allies in the region."
The statement also said that Iran's leaders are focused on "countering what they perceive as a Saudi-led effort to fuel Sunni extremism and terrorism against Iran and Shia communities throughout the region."
The U.S. and Israel are believed to have attacked Iran's nuclear program with a malware dubbed Stuxnet, identified in 2010, that physically damaged nuclear equipment.