APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.
Name: APT 33 (Mandiant), Elfin (Symantec), Magnallium (Dragos), Holmium (Microsoft), ATK 35 (Thales)
Refined Kitten (CrowdStrike), TA451 (Proofpoint), Cobalt Trinity (SecureWorks)
Location: Iran
Suspected attribution: State-sponsored
Date of initial activity: 2013
Targets: Multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.
Motivation: Espionage
Associated tools: AutoCore, Cadlotcorg, Dello RAT, Imminent Monitor, KDALogger, Koadic, NanoCore, NetWire, PoshC2, POWERTON, Poylog, PupyRAT, Schoolbag
Attack vectors: APT33 has targeted organizations – spanning multiple industries – headquartered in the United States, Saudi Arabia and South Korea. APT33 has shown particular interest in organizations in the aviation sector involved in both military and commercial capacities, as well as organizations in the energy sector with ties to petrochemical production.
How they work: COBALT TRINITY has been active since at least 2015 and CTU researchers assess with moderate confidence that the group operates on behalf of Iran. Known targets include U.S., UK, and Middle Eastern organizations in the government, defense, aerospace, legal, oil and gas, and energy verticals. However, broad campaigns have also been conducted that cut across multiple verticals. COBALT TRINITY has been observed using publicly available tools such as NanoCore, NetWire, PupyRAT, PoshC2, and Koadic. The threat group also uses a selection of custom tools such as Powerton, Dello RAT, AutoCore, KDALogger, and PoyLog.
In 2019, COBALT TRINITY was tentatively linked to the 2018 Middle Eastern Shamoon activity. The threat actors perform password-spraying attacks against a broad swath of companies and individuals and use a playbook when spearphishing intended targets. Between 2017 and 2019, CTU researchers observed multiple COBALT TRINITY campaigns using job-themed spearphishing to initiate a multi-staged PowerShell-based infection chain to deploy custom and publicly available RATs. The group’s objective appears to be gathering intelligence for military, political, and economic advantage. Broad password spraying is a favored tactic to obtain initial access, with organizations repeatedly targeted once they make it onto COBALT TRINITY’s radar.
