On 20 November security researchers said that Iran-linked advanced persistent threat (APT) unit APT33 had shifted its targeting focus from espionage and data wiping campaigns to IT networks. Now the group increasingly targets the suppliers and manufacturers of industrial control systems (ICS) used in electric utilities, manufacturing, and oil refineries.
Three key risk points:
- Given APT33’s ties to disruptive malware, this shift is likely intended to provide the group with a foothold to carry out disruptive cyber-attacks against the customers of the targeted producers and manufacturers through supply chain attacks.
- These attacks are likely to be carried out at times of escalating tensions between Iran and the state in which the victim company operates. Instead of wiping disks and data, such attacks could have the potential to inflict physical effects on infrastructure, which in turn could threaten the safety of personnel at the targeted facilities.
- In an alternative scenario, APT33 is targeting the ICS suppliers to compromise their customers in strategic and commercial espionage campaigns.
Assessment
APT33’s targeting of equipment suppliers and software providers for ICS has implications for organisations globally that are using such systems, particularly in the energy, oil and gas, maritime and manufacturing sectors. Organisations with a strong presence in, or links to, such industries in the Middle East, particularly in Saudi Arabia, the UAE and Bahrain likely face a heightened threat from related APT33 activities.
The group typically conducts widespread password-spraying attacks against user accounts at tens of thousands of organisations per month. Its latest operations highlight that the group has reduced the rate of its password-spraying attacks to around 2,000 organisations per month, suggesting a targeted selection of potential victims.
APT33 is likely Iran’s most sophisticated threat group. The group has been linked to the disk- and data-wiping malware Shamoon, which in 2012 destroyed more than 35,000 workstations at Saudi Aramco. Shamoon again in November 2016 affected organisations in Saudi Arabia and was last seen targeting oil and gas company Saipem in late 2018.
Outlook
We assess that APT33’s espionage campaigns against critical industries in the Middle East and the US – including oil and gas, energy, maritime, and aerospace and defence – will likely continue to present a high threat in the coming months. The group is also highly likely to continue to develop its tactics, techniques and procedures (TTPs) to improve its anti-detection, espionage and disruptive capabilities.
Supply chain attacks remain highly effective and are regularly used by highly sophisticated espionage groups. We assess that high-impact supply chain compromises will likely remain limited to operationally and technically sophisticated, well-funded state-linked espionage groups, primarily due to the significant resources required to carry out such operations.
However, cybercriminal groups like Cobalt and Trickbot stand out as highly advanced and innovative, demonstrating considerable financial resources and skills to produce indigenous malware, manipulate and repurpose existing malware tools, and research and develop attack locations. These groups in particular are pioneering in their approach to cybercriminal attacks on supply chains.