A widely circulated security report by Symantec has claimed involvement of an Iran based hacking group in various attacks that have attempted various cyber attacks on US and Saudi Arabian firms.
The Symantec security report establishes the connection wherein Elfin widely known as APT 33, the cyber-espionage group, has been found to be formulating and executing cyber attacks on strategic firms, located in US and Saudi.
It has been found that Elfin has been actively involved in such attacks since 2015. In it’s
As per the monitoring evidence given by Symantec, Elfin launched attacks since the beginning of 2016. It was noticed that the group launched targeted campaign against numerous organizations with almost 42% of attacks diverted towards Saudi Arabia and 34% towards US.
Records suggest that Elfin targeted a total of 18 American organizations in the engineering, chemical, research, energy consultancy, finance, IT and healthcare sectors. Of which some were Fortune 500 companies.
Exploitation of WinRAR Flaw
Symantec group also identified the WinRAR file compression application vulnerability that enables the hackers to extract malicious files from a harmless archive file to a Windows Startup folder. This further enables them to execute arbitrary code on the targeted computer.
Though the vulnerability of the application was identified earlier by WinRAR but it was actively exploited by various hacking groups soon after proof-of-concept (PoC) exploit code went public.
Symantec explained that WinRAR file compression application vulnerability exploited in hacking of a chemical organization of Saudi Arabia where two users received a file via a spear-phishing email.
Apart from Symantec, FireEye also identified four separate campaigns that have been found exploiting the WinRAR vulnerability to install password stealers, trojans and other malicious software.
Other Tools Used by APT33
APT33 has deployed a wide range of tools in its custom malware toolkit including the Notestuk backdoor (aka TURNEDUP), the Stonedrill Trojan and a malware backdoor written in AutoIt.
It also used c
Established Links to Shamoon Attacks to APT33/Elfin
In December 2018, Symantec found a connection between APT33/Elfin. APT33 group was linked to a wave of Shamoon attacks targeting the energy sector, one of which infected a company in Saudi Arabia that used Stonedrill malware used by Elfin.
“One Shamoon victim in Saudi Arabia had recently also been attacked by Elfin and had been infected with the
No further evidence was established to claim that Elfin was responsible for these Shamoon attacks to date.
However, FireEye claimed that it found evidence of APT33 working on behalf of the Iranian government,—both military and commercial—along with organizations in the energy sector, giving clear evidence of Iran led cyber espionage in Middle East and the world.