A widely circulated security report by Symantec has claimed involvement of an Iran based hacking group in various attacks that have attempted various cyber attacks on US and Saudi Arabian firms.

The Symantec security report establishes the connection wherein Elfin widely known as APT 33, the cyber-espionage group, has been found to be formulating and executing cyber attacks on strategic firms, located in US and Saudi.

It has been found that Elfin has been actively involved in such attacks since 2015. In it’s till day operations, it has successfully targeted wide range of organization from R&D, chemical, engineering, manufacturing, consulting, finance, telecommunications and even government.

As per the monitoring evidence given by Symantec, Elfin launched attacks since the beginning of 2016. It was noticed that the group launched targeted campaign against numerous organizations with almost 42% of attacks diverted towards Saudi Arabia and 34% towards US.

Records suggest that Elfin targeted a total of 18 American organizations in the engineering, chemical, research, energy consultancy, finance, IT and healthcare sectors. Of which some were Fortune 500 companies.

Exploitation of WinRAR Flaw       

Symantec group also identified the WinRAR file compression application vulnerability that enables the hackers to extract malicious files from a harmless archive file to a Windows Startup folder. This further enables them to execute arbitrary code on the targeted computer.

Though the vulnerability of the application was identified earlier by WinRAR but it was actively exploited by various hacking groups soon after proof-of-concept (PoC) exploit code went public.

Symantec explained that WinRAR file compression application vulnerability exploited in hacking of a chemical organization of Saudi Arabia where two users received a file via a spear-phishing email.

Apart from Symantec, FireEye also identified four separate campaigns that have been found exploiting the WinRAR vulnerability to install password stealers, trojans and other malicious software.

Other Tools Used by APT33

APT33 has deployed a wide range of tools in its custom malware toolkit including the Notestuk backdoor (aka TURNEDUP), the Stonedrill Trojan and a malware backdoor written in AutoIt.

It also used commodity malware tools, including Remcos, DarkComet, Quasar RAT, Pupy RAT, NanoCore, and NetWeird, along with many publicly available hacking tools, like Mimikatz, SniffPass, LaZagne, and Gpppassword.

Established Links to Shamoon Attacks to APT33/Elfin

In December 2018, Symantec found a connection between APT33/Elfin. APT33 group was linked to a wave of Shamoon attacks targeting the energy sector, one of which infected a company in Saudi Arabia that used Stonedrill malware used by Elfin.

“One Shamoon victim in Saudi Arabia had recently also been attacked by Elfin and had been infected with the Stonedrill malware used by Elfin. Because the Elfin and the Shamoon attacks against this organization occurred so close together, there has been speculation that the two groups may be linked,” Symantec said.

No further evidence was established to claim that Elfin was responsible for these Shamoon attacks to date.

However, FireEye claimed that it found evidence of APT33 working on behalf of the Iranian government,—both military and commercial—along with organizations in the energy sector, giving clear evidence of Iran led cyber espionage in Middle East and the world.