Hyas Blog | Hunting APT33 Campaign Infrastructure
Geopolitical risk is just one of many considerations that global enterprises and institutions must factor into their businesses, and when married with a firm’s information security, those risks can take on entirely new dimensions. Such has been the case with the current geopolitical environment when considering tensions between Iran and other global powers. Advanced Persistent Threats which may not have previously focused on particular geographies or industries are now being much more active in their efforts to compromise targets seen as important new opportunities.
One such example is the increased attacks observed by APT33, and other Iranian state-aligned groups, such as APT34, APT35, and MuddyWater. APT33 (aka “Elfin (Team)”, “Refined Kitten”, “Magnallium”, and “Holmium”) in particular has shown increased interest in targeting a broader set of industries, including financial services and advanced technology companies, in an effort which goes beyond an historic focus on middle eastern targets and an emphasis on energy and utility, aerospace, and defense industries.
Known for their use of both custom malware and more commodity malware and tools, APT33 campaign infrastructure used against targets in the US and other countries has been observed by HYAS as part of our ongoing work to provide additional telemetry and where possible, advanced warning to our clients. Hyas’ data collection and attribution engine is able of identifying not just the campaign infrastructure used in a current attack, but can also identify with confidence the infrastructure that is being spun-up for near-term or future attacks.
One such example is highlighted by the recent US Cybercom notice regarding malicious use of CVE-2017-11774 by APT33. Malware used in the attacks was noted as being delivered from the domain customermgmnt[.]net in their public alert of July 2nd, 2019. In the interim, great work has been done by other research teams (including ClearSky, Symantec, and FireEye) to identify the domains backupaccount[.]net, customermgmt[.]net, whiteelection[.]net, and inboxsync[.]org as correctly being tied to APT33, which is consistent with Hyas’ assessment.
HYAS’ Threat Intelligence team had identified these domains as associated to APT33 back in May, prior to it being put into use for campaigns. Reviewing proprietary data and APT33 TTPs known to our team, we have been able to identify a number of other domains that which HYAS has both high confidence (95%) and moderate confidence (>75%) are connected to APT33.
HIGH CONFIDENCE (+95%):
admindirector[.]com
backupaccount[.]net
ceoadminoffice[.]com
customermgmt[.]net
diplomatsign[.]com
whiteelection[.]com
groupchiefexecutive[.]com
inboxsync[.]org
mailsarchive[.]com
managementdirector[.]com
officemngt[.]com
MODERATE CONFIDENCE (+75%):
urlmanage[.]com
truelogon[.]com
tokensetting[.]com
service-search[.]info
phpencryptssl[.]com
moreonlineshopping[.]com
cardkuys[.]com
cardchsk[.]com
businessscards[.]com
We encourage security professionals to take care with respect to the above domains, and to talk to Hyas about how we can help not just identify attribution for current bad actors and threats, but proactively identify the infrastructure that likely will be used for future attacks.
For more information about Hyas, email us at sales@hyas.com or go to hyas.com/demo.