Iranian Hacker Group APT33 Linked to Proliferation of Destructive ShapeShift/StoneDrill Malware

For years Iran has been accused of being one of the most active state-sponsored hacking countries around the world, getting away with data theft from government and corporate networks all around the world, organizing hacking attacks on US banks and unleashing crippling malware on systems across the Middle East. Among all the mayhem, one Iranian hacking group managed to penetrate the security of a broad array of targets all around the world, quietly evading the public eye until recently. Although the group was sticking to a more traditional kind of spying, it may also be preparing for the next round of attacks.

The security company FireEye released research into the group, now dubbed Advanced Persistent Threat 33, is attributing to a wide range of breaches in businesses in the defense, petrochemical and aerospace industries in countries such as South Korea, Saudi Arabia, and the United States. FireEye has been tracking APT33 closely since May 2016, believing the group has been active as back as 2013, with more evidence that it has ties with the government of Iran. FireEye describes the activities of the hacking group as focusing on spying stealthily, though there have been links between it and a data-destroying piece of malware that has been analyzed by researchers over the year.

There may be an opportunity for FireEye to recognize the actor while they are focused on espionage, before their actions escalate into something more aggressive, according to the director of intelligence analysis at FireEye – John Hultquist. He compared APT33 to Sandworm, a hacking operation discovered by FireEye back in 2014 that bore ties to Russia, spying on NATO and Ukrainian targets. Sandworm escalated to data wiping during 2015 and two sabotage attacks versus the power grid of Ukraine. Hultquist also shared that the APT33 team was seen deploying destructive tools that could be used for sawing disruption and worse overnight.

FireEye mentioned they encountered APT33 activity in six of their client networks, but they suspect a far greater scope of intrusion. For now, the group's attacks have been focused on the regional interests of Iran. Although there have been attacks on South Korea and the United States, there have been companies with Middle Eastern ties affected that FireEye declined to name.

Dropper Infections utilized by APT33

Beyond the usual economic espionage, FireEye found infections of victim networks that had a dropper malware, a piece of software designed to deliver one or more malware payloads to an infected machine. The dropper was dubbed DropShot by the security company. The software had some cases of installing even further malware, specifically one FireEye called ShapeShift, made to wipe the hard drives of computers by overwriting their data.

Although FireEye didn't find any destructive malware in on their networks, where they spotted the APT33 presence, they did find the same dropper used in their intrusions to install TurnedUp, a backdoor software. No other hacker group has also used the DropShot dropper so far.

The idea that Iranian hackers may be working on another set of destructive attacks may not exactly sound like news to some. Back in 2012, there was a group of Iranian-linked hackers who called themselves the 'Cutting Sword of Justice,' who used a similar wiper malware known as Shamoon. Their attack managed to render the hard drives of 30,000 Saudi Aramco computers, showing the image of a burning US flag. The same year there was a group that called itself the Izz ad-Din al-Quassam Cyber Fighters. They took credit for an escalating series of DDoS attacks on US banks, which were effectively pinned on Iran again. There was another round of Shamoon attacks that hit the Middle East, rendering thousands of machines useless, this time leaving behind the image of a drowned 3-year-old Syrian refugee who died in the Mediterranean.

Security company Kaspersky first noticed ShapeShift in March 2017, giving it the name StoneDrill. Kaspersky said it resembles Shamoon, but its techniques were improved and designed to better evade security mechanisms. The sandbox protections limit an application's access to the rest of a targeted computer. Kaspersky shared at the time that one of the two targets it found StoneDrill in was European, with Shamoon attacks confined to the Middle East. Eugene Kaspersky shared in a blog that he finds this worrying, as this finding shows that certain malicious actors are testing the water in regions that actors of this type were interested in exploiting.

Although APT33 seems focused on regional espionage at the moment, it is also working on 'reconnaissance for attack,' according to Hultquist, adding that could change with a sudden geopolitical twist.