State-sponsored cyber espionage has been rising steadily in recent years. Whether it’s high-profile attacks such as North Korea’s hack of Sony in 2014, China’s alleged hack of the US’s Office of Personnel Management in 2015, or Russia’s alleged hack of the Democratic National Committee in 2016, the stories are mounting. Iran has also been in the cyber espionage news, with major suspected attacks ranging from the Las Vegas Sands attack in 2014 to the DDOS attack on numerous US banks in 2016.
Beyond these high-profile attacks, there are also countless examples of low-profile attacks. While these attacks don’t make the major headlines, they may actually be more relevant to your organization.
In this blog, we zero in on this lesser-publicized activity, focusing on a recently discovered Iranian hacker group, dubbed APT33, the tools they have developed, and how AlienVault can help you detect this activity in your environment.
What is state-sponsored cyber espionage and what are the typical goals?
First, a quick primer on state-sponsored cyber espionage. State-sponsored cyber espionage is the act of obtaining secrets and information from individuals, competitors, rivals, groups, governments, and enemies, without the permission and knowledge of the holder of the information, usually for economic, political, or military advantage.
The goals of these state-sponsored groups or individuals range from basic theft or sabotage to collecting military and diplomatic information to enabling domestic organizations to compete on a global economic level.
Why should you care?
Should you be concerned about state-sponsored cyber hacks? In a word, yes. And, it’s really the low-profile attacks from state-sponsored hackers that should be most concerning. This is because the tools and methods that these hackers develop and utilize can be leveraged by other nefarious hackers against your organization. You need to be alerted to and protected against these tools.
Who is APT33?
This leads us to Iranian group Advanced Persistent Threat 33 (APT33), a group recently chronicled by security firm FireEye. FireEye assessed that APT33 works at the behest of the Iranian government, and they attribute to APT33 many breaches of Saudi Arabian, South Korean, and US organizations ranging from the aviation sector to the energy sector. The primary goals of APT33 appear to be to enhance Iran’s domestic aviation capabilities or to support Iran’s military decision making against Saudi Arabia.
Notably, FireEye has found signs of APT33 activity in some of its own clients' networks, but suspects the APT33 intrusions have been on a wider scale.
APT33 has unveiled new tools, including a new backdoor.
APT33 has developed numerous tools, including a new backdoor called TURNEDUP. TURNEDUP is capable of uploading and downloading files, creating a reverse shell, taking screenshots, and gathering system information.
FireEye found that APT33 has also leveraged Dropshot, a dropper that has been observed dropping and launching the TURNEDUP backdoor. Interestingly, FireEye suggests it is possible that Dropshot may be shared amongst other Iran-based threat groups, given its similarity to other well-documented malware. In March 2017, Kaspersky Labs released a report that compared Dropshot (which they call Stonedrill) with Shamoon 2.0, the most recent variant of Shamoon, a vicious data-destroying malware. But interestingly, both the Dropshot malware and the APT33 activity appear to be distinct from the group using Shamoon. Therefore, FireEye assesses there may be multiple Iran-based threat groups capable of carrying out destructive operations.
Finally, the group’s use of multiple custom backdoors suggests to FireEye that they have access to some of their own development resources, while also making use of publicly available tools.
How AlienVault USM Helps
The AlienVault® Unified Security Management™ (USM) platform brings together essential security capabilities needed to quickly detect and respond to backdoor activity like TURNEDUP – including asset discovery, vulnerability assessment, intrusion detection, incident response, SIEM, and log management.
Additionally, as new threats emerge and existing threats evolve, the AlienVault Labs Security Research Team delivers continuous and automatic threat intelligence updates directly to the USM platform, so you always have the latest threat information about the threat actors, their methods, infrastructure, and tools. This threat intelligence is delivered in ready-to-use formats: correlation rules, IDS signatures, remediation guidance, and more, saving you the time and effort you would have spent in researching threats and operationalizing threat detection and response.
The AlienVault Labs Security Research Team recently updated the known threat intelligence related to APT33 and the TURNEDUP backdoor, delivering the updates automatically to the USM platform in the form of IDS signatures and correlation rules. In addition, IDS signatures and correlation rules covering Dropshot and Shamoon have been in the product since those threats surfaced in March.
To see threat intelligence in action within AlienVault USM, head over to our interactive, online demo environment.
One of the threat data sources that the AlienVault Labs Security Research Team leverages is the Open Threat Exchange (OTX), the world’s first truly open and free threat intelligence community that enables collaborative defense with actionable, community-powered threat data. OTX has 65,000 users, who contribute over 14 million pieces of threat data daily. The labs team analyzes those indicators through machine learning with human validation. So, AlienVault USM platform users get the best threat intelligence from the AlienVault Labs Security Research Team, backed by the power of community-sourced threat data from the global InfoSec community. Even if you’re not an AlienVault USM platform user, you can still join and participate in OTX. It’s free to join, so sign up today!