Over the past decade, Iranian hackers have performed some of the most disruptive acts of digital sabotage, wiping out entire computer networks in waves of cyber attacks in the Middle East and sometimes even in the US. But now it seems that one of Iran’s most active hacker groups has shifted the focus. Instead of standard IT networks, they focus on the physical control systems used in electricity companies, production, and oil refineries.
At the CyberwarCon conference in Arlington, Virginia, on Thursday, Microsoft security researcher Ned Moran plans to present new findings from the company’s threat information group that is shifting the activity of the Iranian hacker group APT33 known as the Holmium, Refined names. Kitten or Elfin. Microsoft has seen the group conduct so-called password spraying attacks over the past year that only try a few general passwords for user accounts at tens of thousands of organizations. This is generally regarded as a gross and random form of hacking. But in the last two months, Microsoft has said that APT33 has significantly reduced its password spray to around 2,000 organizations per month. On average, the number of accounts for each organization has become almost ten times as high.
Microsoft ranked those goals based on the number of accounts that hackers tried to crack; Moran says that about half of the top 25 were manufacturers, suppliers, or maintainers of equipment for industrial control systems. Microsoft says APT33 has focused on dozens of industrial equipment and software companies since mid-October.
The hackers’ motivation – and which industrial control systems they have violated – remains unclear. Moran speculates that the group is trying to get a hold of cyber attacks with physically disruptive effects. “They go after these manufacturers and operating system manufacturers, but I don’t think they are the end goals,” says Moran. “They try to find the downstream customer, to find out how they work and who uses them. They try to hurt the critical infrastructure of someone who uses these control systems.”
The shift represents a disturbing move from APT33, given its history. Although Moran says that Microsoft has not seen direct evidence that APT33 is conducting a disruptive cyber attack rather than merely spying or surveillance, it has seen incidents where the group has at least laid the foundation for those attacks. Moran says the group’s fingerprints have surfaced in multiple burglaries where victims were later struck with a piece of data-wipe malware known as Shamoon. McAfee warned last year that APT33 – or a group that pretended to be APT33 – covered it – implemented a new version of Shamoon in a series of data-destroying attacks. Threat information company FireEye has been warning since 2017 that APT33 had links to another piece of destructive code called Shapeshifter.
Moran refused to name any specific industrial control systems, ICS, companies, or products targeted by the APT33 hackers. But he warns that the group’s targeting of those control systems suggests Iran may be trying to go further than just wiping computers in its cyber attacks. It can hope to influence the physical infrastructure. These attacks are rare in the history of state-sponsored hacking but disturbing in their effects; in 2009 and 2010, the US and Israel launched a piece of code called Stuxnet that destroyed Iranian nuclear enrichment centrifuges. In December 2016, Russia used malware known as Industroyer or Crash Override to cause a blackout in the Ukrainian capital brieflyKyiv. And hackers of unknown nationality installed malware, Triton or Trisis, in a Saudi oil refinery in 2017 to disable security systems. Some of those attacks – particularly Triton – had the potential to cause physical chaos that threatened the safety of personnel within the intended facilities.
Iran has never been publicly bound to any of those ICS attacks. But the new targeting that Microsoft has seen suggests that it might work to develop those capabilities. “Given their previous modus operandi of destructive attacks, it makes sense that they go after ICS,” says Moran.
But Adam Meyers, vice president of intelligence at security company Crowdstrike, warns against too much reading in the new focus of APT33. They might as well be targeted at espionage. “Targeting ICS can be a means of conducting a disruptive or destructive attack, or it can be an easy way to end up in many energy companies because energy companies rely on those technologies,” Meyers says. “They are more likely to open an email from them or install software from them.”
The potential escalation comes during a tense moment in Iranian-American relations. In June, the US accused Iran of using limpet mines to blow holes in two oil tankers in the Strait of Hormuz and shoot an American drone. In September, Iran-back Houthi rebels launched a drone attack on Saudi oil facilities that temporarily halved oil production.
Moran notes that Iran’s attacks in June were reportedly partially answered by a US Cyber ​​Command attack on the Iranian intelligence infrastructure. Microsoft saw APT33’s password spraying activity drop from tens of millions of hacking attempts per day to zero on the afternoon of June 20, suggesting that APT33’s infrastructure may have been affected. But Moran says spraying passwords returned to their normal levels about a week later.
Moran compares Iran’s disruptive cyber attacks with the physical sabotage that the US has accused Iran of accusing. Both destabilize and intimidate regional opponents – the first will do so even more if their hackers switch from purely digital effects to physical ones.
“They try to deliver messages to their opponents and try to force and change the behavior of their opponents,” says Moran. “When you see a drone attack on a mining facility in Saudi Arabia, when you see tankers being destroyed . My feeling says they want to do the same in cyber.”
This story originally appeared on wired.com.
