Workload and Application Security Blog

Iran’s APT33 Hackers Are Targeting Industrial Control Systems

Written by Virsec | Nov 30, 2019 1:08:03 AM

Journal of Cyber Policy (Nov 21), isBuzznews (Nov 22), CPO Magazine (Dec 5), with comments from Ray DeMeo;

A well-known and active Iranian hacker group is targeting the physical control systems used in electric utilities, manufacturing, and oil refineries.

Security researchers have been observing the APT33 hackers shifting their targets from IT networks toward critical infrastructures, leading them to wonder if they are considering cyber attacks that would cause serious disruptions.

If so, it wouldn’t be the first time they’ve caused trouble, Iranian hackers have carried out some of the worst acts of cyber sabotage in recent years, taking out computer networks in the Middle East and at times impacting the US.

But their focus now seems to be on the physical control systems of industrial infrastructures – electric utilities, manufacturing plants and oil refineries.

Mutual Nation State Hacking

The notorious hacking group is known by other names, such as Elfin, Refined Kitten, Holmium. Their handiwork has been seen related to a data wiping attacks from malware named Shamoon. Last year, McAffee cautioned that a new version of Shamoon was conducting a new series of attacks destroying data, and it was alleged that APT33 was behind the attacks. FireEye research has also attributed Shapeshifter to APT33 in 2017.

Nation state hacking goes both ways. In 2009-2010, the US and Israel together coordinated Stuxnet, a piece of malware that was launched against Iranian nuclear centrifuges. Russia in December of 2016 used Industroyer, aka Crash Override, malware against Ukraine, causing a blackout. Two years ago in 2017, Triton (aka Trisis) struck a Saudi Arabian oil refinery. The intent behind this attack particularly aimed at causing personal harm to people along with disrupting operations in the plants.

To date, Iran hasn’t been identified as a party behind these ICS attacks, but indicators reveal they could be leading up to such an action. Far more common than these destructive attacks is espionage. Most nation states are engaged in cyberspying on a regular basis. Perhaps reconnaissance is Iran’s goal instead of something more destructive, but once hackers invade a system to spy, it doesn’t require much more to launch a damaging attack.

Virsec Co-Founder and COO Ray DeMeo Reflects on Threats to ICS

"There’s a common misconception that OT systems are less vulnerable to attack that IT systems. It’s not necessary to hack physical equipment to cause disruption or damage to industrial equipment. The control system (SCADA and others) are largely run on conventional Windows machines and vulnerable to a wide range of external, supply chain and insider attacks. We’ve seen repeatedly, with attacks from Stuxnet to Triton/Trisis, that fileless, and in-memory attacks can take hijack the control systems, and then easily bring down physical industrial equipment. The ICS industry needs a serious wakeup call to take these threats more seriously, and rapidly implement stronger security across their entire IT/OT stacks."

 

Read full Iran’s APT33 Hackers Are Targeting Industrial Control Systems article

Read full Notorious Iranian Hacking Crew Is Targeting Industrial Control Systems brief

Read full Iranian Hackers APT33 Now Threatening ICS Security article

 

Further Resources:

Solution Brief: ICS/SCADA Security

White Paper: Triton ICS Attack

Defending critical infrastructure from cyberattacks demands multi-disciplinary expertise and a radically new approach

Iranian APT33 Launches Phishing Attacks on Aviation, Energy Industries

US & UK Report Russian Hackers Impersonate Iranian Spies to Attack Over 35 Countries