Elfin Team
   HOME

TheInfoList



Click Here for Items Related To - Elfin Team
OR:
Elfin Team on:   [Wikipedia]   [Google]   [Amazon]

Advanced Persistent Threat 33 (APT33) is a hacker group identified by
FireEye Trellix (formerly FireEye and McAfee Enterprise) is a privately held cybersecurity company founded in 2022. It has been involved in the detection and prevention of major cyber attacks. It provides hardware, software, and services to investigat ...
as being supported by the
government of Iran The Government of the Islamic Republic of Iran ( fa, نظام جمهوری اسلامی ایران, Neẓām-e jomhūrī-e eslāmi-e Irān, known simply as ''Neẓām'' ( fa, نظام, lit=the system) among its supporters) is the ruling state a ...
. The group has also been called Refined Kitten (by
Crowdstrike CrowdStrike Holdings, Inc. is an American cybersecurity technology company based in Austin, Texas. It provides cloud workload and endpoint security, threat intelligence, and cyberattack response services. The company has been involved in inves ...
), Magnallium (by Dragos), and Holmium (by
Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...
).


History

FireEye believes that the group was formed no later than 2013.


Targets

APT33 has reportedly targeted
aerospace Aerospace is a term used to collectively refer to the atmosphere and outer space. Aerospace activity is very diverse, with a multitude of commercial, industrial and military applications. Aerospace engineering consists of aeronautics and astrona ...
,
defense Defense or defence may refer to: Tactical, martial, and political acts or groups * Defense (military), forces primarily intended for warfare * Civil defense, the organizing of civilians to deal with emergencies or enemy attacks * Defense industr ...
and
petrochemical Petrochemicals (sometimes abbreviated as petchems) are the chemical products obtained from petroleum by refining. Some chemical compounds made from petroleum are also obtained from other fossil fuels, such as coal or natural gas, or renewable sou ...
industry targets in the
United States The United States of America (U.S.A. or USA), commonly known as the United States (U.S. or US) or America, is a country primarily located in North America. It consists of 50 states, a federal district, five major unincorporated territorie ...
,
South Korea South Korea, officially the Republic of Korea (ROK), is a country in East Asia, constituting the southern part of the Korea, Korean Peninsula and sharing a Korean Demilitarized Zone, land border with North Korea. Its western border is formed ...
, and
Saudi Arabia Saudi Arabia, officially the Kingdom of Saudi Arabia (KSA), is a country in Western Asia. It covers the bulk of the Arabian Peninsula, and has a land area of about , making it the fifth-largest country in Asia, the second-largest in the A ...
.


Modus operandi

APT33 reportedly uses a
dropper An eye dropper, also called Pasteur pipette or simply dropper, is a device used to transfer small quantities of liquids. They are used in the laboratory and also to dispense small amounts of liquid medicines. A very common use was to dispense e ...
program designated DropShot, which can deploy a wiper called ShapeShift, or install a
backdoor A back door is a door in the rear of a building. Back door may also refer to: Arts and media * Back Door (jazz trio), a British group * Porta dos Fundos (literally “Back Door” in Portuguese) Brazilian comedy YouTube channel. * Works so title ...
called TurnedUp. The group is reported to use the ALFASHELL tool to send
spear-phishing Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwar ...
emails loaded with malicious
HTML Application An HTML Application (HTA) is a Microsoft Windows program whose source code consists of HTML, Dynamic HTML, and one or more scripting languages supported by Internet Explorer, such as VBScript or JScript. The HTML is used to generate the us ...
files to its targets. APT33 registered domains impersonating many commercial entities, including
Boeing The Boeing Company () is an American multinational corporation that designs, manufactures, and sells airplanes, rotorcraft, rockets, satellites, telecommunications equipment, and missiles worldwide. The company also provides leasing and product ...
, Alsalam Aircraft Company,
Northrop Grumman Northrop Grumman Corporation is an American multinational aerospace and defense technology company. With 90,000 employees and an annual revenue in excess of $30 billion, it is one of the world's largest weapons manufacturers and military techn ...
and
Vinnell The Vinnell Corporation is an international private military company based in Herndon, Virginia, United States, specializing in military training, logistics, and support in the form of weapon systems maintenance and management consultancy. Vinne ...
.


Identification

FireEye and
Kaspersky Lab Kaspersky Lab (; Russian: Лаборатория Касперского, tr. ''Laboratoriya Kasperskogo'') is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in th ...
noted similarities between the ShapeShift and
Shamoon Shamoon ( fa, شمعون), also known as W32.DistTrack, is a modular computer virus that was discovered in 2012, targeting then-recent 32-bit NT kernel versions of Microsoft Windows. The virus was notable due to the destructive nature of the atta ...
, another
virus A virus is a submicroscopic infectious agent that replicates only inside the living cells of an organism. Viruses infect all life forms, from animals and plants to microorganisms, including bacteria and archaea. Since Dmitri Ivanovsky's 1 ...
linked to Iran. APT33 also used
Farsi Persian (), also known by its endonym Farsi (, ', ), is a Western Iranian language belonging to the Iranian branch of the Indo-Iranian subdivision of the Indo-European languages. Persian is a pluricentric language predominantly spoken an ...
in ShapeShift and DropShot, and was most active during
Iran Standard Time Iran Standard Time (IRST) or Iran Time (IT) is the time zone used in Iran. Iran uses a UTC offset UTC+03:30. IRST is defined by the 52.5 degrees east meridian, the same meridian which defines the Iranian calendar and is the official meridian of I ...
business hours, remaining inactive on the Iranian weekend. One hacker known by the
pseudonym A pseudonym (; ) or alias () is a fictitious name that a person or group assumes for a particular purpose, which differs from their original or true name (orthonym). This also differs from a new name that entirely or legally replaces an individua ...
of xman_1365_x was linked to both the TurnedUp tool code and the Iranian Nasr Institute, which has been connected to the
Iranian Cyber Army The Iranian Cyber Army is an Iranian computer hacker group. It is thought to be connected to Iranian government, although it is not officially recognized as an entity by the government. It has pledged loyalty to Supreme Leader of Iran. According t ...
. xman_1365_x has accounts on Iranian hacker forums, including Shabgard and Ashiyane.


See also

*
Charming Kitten Charming Kitten (other aliases include APT35 (by Mandiant), Phosphorus (by Microsoft), Ajax Security (by FireEye), NewsBeef (by Kaspersky,)) is an Iranian government cyberwarfare group, described by several companies and government officials as ...


References

{{Hacking in the 2010s Cyberwarfare Iranian advanced persistent threat groups Hacking (computer security)