Jump to content

Main menu Navigation ●Main page ●Contents ●Current events ●Random article ●About Wikipedia ●Contact us ●Donate Contribute ●Help ●Learn to edit ●Community portal ●Recent changes ●Upload file

●Create account ●Log in ●Create account ● Log in Pages for logged out editors learn more ●Contributions ●Talk

(Top) 1 History 2 Targets 3 Modus operandi 4 Identification 5 See also 6 References

Elfin Team

●العربية ●Español ●فارسی ●עברית Edit links ●Article ●Talk ●Read ●Edit ●View history Tools Actions ●Read ●Edit ●View history General ●What links here ●Related changes ●Upload file ●Special pages ●Permanent link ●Page information ●Cite this page ●Get shortened URL ●Download QR code ●Wikidata item Print/export ●Download as PDF ●Printable version Appearance From Wikipedia, the free encyclopedia

Advanced Persistent Threat 33 (APT33) is a hacker group identified by FireEye as being supported by the government of Iran.^[1]^[2] The group has also been called Elfin Team, Refined Kitten (byCrowdstrike), Magnallium (by Dragos), Peach Sandstorm,^[3] and Holmium (byMicrosoft).^[4]^[5]^[6]

History

[edit]

FireEye believes that the group was formed no later than 2013.^[1]

Targets

[edit]

APT33 has reportedly targeted aerospace, defense and petrochemical industry targets in the United States, South Korea, and Saudi Arabia.^[1]^[2]

Modus operandi

[edit]

APT33 reportedly uses a dropper program designated DropShot, which can deploy a wiper called ShapeShift, or install a backdoor called TurnedUp.^[1] The group is reported to use the ALFASHELL tool to send spear-phishing emails loaded with malicious HTML Application files to its targets.^[1]^[2]

APT33 registered domains impersonating many commercial entities, including Boeing, Alsalam Aircraft Company, Northrop Grumman and Vinnell.^[2]

Identification

[edit]

FireEye and Kaspersky Lab noted similarities between the ShapeShift and Shamoon, another virus linked to Iran.^[1] APT33 also used Farsi in ShapeShift and DropShot, and was most active during Iran Standard Time business hours, remaining inactive on the Iranian weekend.^[1]^[2]

One hacker known by the pseudonym of xman_1365_x was linked to both the TurnedUp tool code and the Iranian Nasr Institute, which has been connected to the Iranian Cyber Army.^[7]^[1]^[2]^[8] xman_1365_x has accounts on Iranian hacker forums, including Shabgard and Ashiyane.^[7]

References

[edit]

^ ^a ^b ^c ^d ^e ^f ^g ^h Greenberg, Andy (September 20, 2017). "New Group of Iranian Hackers Linked to Destructive Malware". Wired.

^ ^a ^b ^c ^d ^e ^f O'Leary, Jacqueline; Kimble, Josiah; Vanderlee, Kelli; Fraser, Nalani (September 20, 2017). "Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware". FireEye.

^ "Peach Sandstorm password spray campaigns enable intelligence collection at high-value targets". Microsoft. 14 September 2023.

^ "Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S."

^ "MAGNALLIUM | Dragos". 30 May 2020.

^ "Microsoft says Iran-linked hackers targeted businesses". Associated Press. 6 March 2019.

^ ^a ^b Cox, Joseph (20 September 2017). "Suspected Iranian Hackers Targeted U.S. Aerospace Sector". The Daily Beast. Archived from the original on September 21, 2017. Included in a piece of non-public malware APT33 uses called TURNEDUP is the username "xman_1365_x." xman has accounts on a selection of Iranian hacking forums, such as Shabgard and Ashiyane, although FireEye says it did not find any evidence to suggest xman was formally part of those site's hacktivist groups. In its report, FireEye links xman to the "Nasr Institute," a hacking group allegedly controlled by the Iranian government.

^ Auchard, Eric; Wagstaff, Jeremy; Sharafedin, Bozorgmehr (September 20, 2017). Heinrich, Mark (ed.). "Once 'kittens' in cyber spy world, Iran gaining hacking prowess: security experts". Reuters. FireEye found some ties between APT33 and the Nasr Institute - which other experts have connected to the Iranian Cyber Army, an offshoot of the Revolutionary Guards - but it has yet to find any links to a specific government agency, Hultquist said.

Hacking in the 2010s

← 2000s

Timeline

2020s →

Major incidents

2010	Operation Aurora (publication of 2009 events) Australian cyberattacks Operation Olympic Games Operation ShadowNet Operation Payback
2011	Canadian government DigiNotar DNSChanger HBGary Federal Operation AntiSec PlayStation network outage RSA SecurID compromise
2012	LinkedIn hack Stratfor email leak Operation High Roller
2013	South Korea cyberattack Snapchat hack Cyberterrorism attack of June 25 2013 Yahoo! data breach Singapore cyberattacks
2014	Anthem medical data breach Operation Tovar 2014 celebrity nude photo leak 2014 JPMorgan Chase data breach 2014 Sony Pictures hack Russian hacker password theft 2014 Yahoo! data breach
2015	Office of Personnel Management data breach Hacking Team Ashley Madison data breach VTech data breach Ukrainian Power Grid Cyberattack SWIFT banking hack
2016	Bangladesh Bank robbery Hollywood Presbyterian Medical Center ransomware incident Commission on Elections data breach Democratic National Committee cyber attacks Vietnam Airport Hacks DCCC cyber attacks Indian Bank data breaches Surkov leaks Dyn cyberattack Russian interference in the 2016 U.S. elections 2016 Bitfinex hack
2017	SHAttered 2017 Macron e-mail leaks WannaCry ransomware attack Westminster data breach Petya and NotPetya 2017 Ukraine ransomware attacks Vault7 data breach Equifax data breach Deloitte breach Disqus breach
2018	Trustico Atlanta cyberattack SingHealth data breach
2019	Sri Lanka cyberattack Baltimore ransomware attack Bulgarian revenue agency hack WhatsApp snooping scandal Jeff Bezos phone hacking incident

Hacktivism

Advanced
persistent threats

Individuals

Major vulnerabilities
publicly disclosed

Evercookie (2010)
iSeeYou (2013)
Heartbleed (2014)
Shellshock (2014)
POODLE (2014)
Rootpipe (2014)
Row hammer (2014)
SS7 vulnerabilities (2014)
WinShock (2014)
JASBUG (2015)
Stagefright (2015)
DROWN (2016)
Badlock (2016)
Dirty COW (2016)
Cloudbleed (2017)
Broadcom Wi-Fi (2017)
EternalBlue (2017)
DoublePulsar (2017)
Silent Bob is Silent (2017)
KRACK (2017)
ROCA vulnerability (2017)
BlueBorne (2017)
Meltdown (2018)
Spectre (2018)
EFAIL (2018)
Exactis (2018)
Speculative Store Bypass (2018)
Lazy FP state restore (2018)
TLBleed (2018)
SigSpoof (2018)
Foreshadow (2018)
Dragonblood (2019)
Microarchitectural Data Sampling (2019)
BlueKeep (2019)
Kr00k (2019)

Malware

2010	Bad Rabbit Black Energy 2 SpyEye Stuxnet
2011	Coreflood Alureon Duqu Kelihos Metulji botnet Stars
2012	Carna Dexter FBI Flame Mahdi Red October Shamoon
2013	CryptoLocker DarkSeoul
2014	Brambul Black Energy 3 Carbanak Careto DarkHotel Duqu 2.0 FinFisher Gameover ZeuS Regin
2015	Dridex Hidden Tear Rombertik TeslaCrypt
2016	Hitler Jigsaw KeRanger Necurs MEMZ Mirai Pegasus Petya and NotPetya X-Agent
2017	BrickerBot Kirk LogicLocker Rensenware Triton WannaCry XafeCopy
2018	VPNFilter
2019	Grum Joanap NetTraveler R2D2 Tinba Titanium ZeroAccess botnet

Retrieved from "https://en.wikipedia.org/w/index.php?title=Elfin_Team&oldid=1221433423" Categories: ●Cyberwarfare ●Iranian advanced persistent threat groups ●Hacking (computer security) Hidden categories: ●Articles with short description ●Short description matches Wikidata ●This page was last edited on 29 April 2024, at 22:39 (UTC). ●Text is available under the Creative Commons Attribution-ShareAlike License 4.0; additional terms may apply. By using this site, you agree to the Terms of Use and Privacy Policy. Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc., a non-profit organization. ●Privacy policy ●About Wikipedia ●Disclaimers ●Contact Wikipedia ●Code of Conduct ●Developers ●Statistics ●Cookie statement ●Mobile view