APT33, an Iranian hacker group that specialises in infiltrating IT networks of organisations through password spraying methods, recently shifted its focus from targeting random IT networks to specifically targeting industrial control systems, according to Microsoft security researcher Ned Moran.
Moran, who is a member of Microsoft's threat intelligence group, will speak in detail at the CyberwarCon conference in Arlington, Virginia today about how APT33, also known as HOLMIUM, has suddenly shifted its tactics from trying to infiltrate IT systems belonging to tens of thousands of organisations to restricting its list of targets to around two thousand since mid-October.
According to WIRED who got a peek at Moran's research ahead of his scheduled speech, Microsoft observed that in the past couple of months, APT33 has not only narrowed down the list of organisations it intends to target, but has also increased the number of accounts targeted at these organisations by almost ten times on average.
Interestingly, around half of the top 25 organisations targeted by APT33 since October "were manufacturers, suppliers, or maintainers of industrial control system equipment" and dozens of other industrial equipment and software firms have been targeted by the hacker group of late.
APT33 preparing the groundwork for cyber attacks on industrial control systems
"They're going after these producers and manufacturers of control systems, but I don’t think they’re the end targets. They‘re trying to find the downstream customer, to find out how they work and who uses them. They’re looking to inflict some pain on someone’s critical infrastructure that makes use of these control systems," Moran told WIRED.
He added that APT33 has been found to be involved in various hacking campaigns that involved the use of a data-wiping malware known as Shamoon at a later stage, indicating that the hacker group was given the task of laying the groundwork for major cyber attacks on targeted systems.
The fact that APT33 is now targeting more industrial control systems than ever before with password spraying attacks suggests that Iran intends to directly attack physical infrastructure in the West rather than just wiping computers. "Given their previous modus operandi of destructive attacks, it stands to reason that they’re going after ICS," Moran added.
Iran is amassing assets to carry out cyber warfare
"Microsoft's research into APT33's recent targeting of industrial control systems reminds us that in the great cyber game, it’s about using peacetime to build “optionality”; amass assets, resources and access," says Sam Curry, chief security officer at Cybereason.
"The Iranian cyber forces are masters of this, and seeing increases in the cold war that is cyber conflict, it makes sense that they would continue to grow what’s worked in the past: expand penetration of weak networks with high access, produce tools for use in the ecosystem of cyber aggressors and build capacity.
"Iran has been on the receiving end of such attacks, as with Stuxnet, and it’s been the attacker too, as with Saudi Aramco in 2012 this isn’t new, and it isn’t a passing fad. The great game of nations has a cyber extension now for new, less risky and ever-more-powerful extensions of politics by other means - to paraphrase Clauswitz.
"It should come as no surprise that nation states are looking to land, expand and grow their options. If you want to hamstring a country, drive trade concessions, win at the diplomacy table or amass power for strategic gains, cyber is the choice of the present and the foreseeable future," he adds.