ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > APT 33, Elfin, Magnallium

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: APT 33, Elfin, Magnallium

NamesAPT 33 (Mandiant)
Elfin (Symantec)
Magnallium (Dragos)
Holmium (Microsoft)
ATK 35 (Thales)
Refined Kitten (CrowdStrike)
TA451 (Proofpoint)
Cobalt Trinity (SecureWorks)
Peach Sandstorm (Microsoft)
Yellow Orc (PWC)
Curious Serpens (Palo Alto)
CountryIran Iran
SponsorState-sponsored, Iranian Islamic Revolutionary Guard Corps (IRGC)
MotivationInformation theft and espionage, Sabotage and destruction
First seen2013
Description(FireEye) When discussing suspected Middle Eastern hacker groups with destructive capabilities, many automatically think of the suspected Iranian group that previously used SHAMOON – aka Disttrack – to target organizations in the Persian Gulf. However, over the past few years, we have been tracking a separate, less widely known suspected Iranian group with potential destructive capabilities, whom we call APT33. Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013. We assess APT33 works at the behest of the Iranian government.

APT33 has targeted organizations – spanning multiple industries – headquartered in the United States, Saudi Arabia and South Korea. APT33 has shown particular interest in organizations in the aviation sector involved in both military and commercial capacities, as well as organizations in the energy sector with ties to petrochemical production.

APT 33 seems to be closely related to OilRig, APT 34, Helix Kitten, Chrysene since at least 2017.
ObservedSectors: Aviation, Defense, Education, Energy, Financial, Government, Healthcare, High-Tech, Manufacturing, Media, Oil and gas, Petrochemical, Telecommunications and others.
Countries: Iran, Iraq, Israel, Saudi Arabia, South Korea, UAE, UK, USA.
Tools usedAutoIt backdoor, DarkComet, DistTrack, EmpireProject, FalseFont, Filerase, JuicyPotato, LaZagne, Mimikatz, NanoCore RAT, NetWire RC, PoshC2, PowerBand, PowerSploit, POWERTON, PsList, PupyRAT, QuasarRAT, RemcosRAT, Ruler, SHAPESHIFT, StoneDrill, Tickler, TURNEDUP, Living off the Land.
Operations performedMar 2019Attacks on Multiple Organizations in Saudi Arabia and U.S.
The Elfin espionage group (aka APT33) has remained highly active over the past three years, attacking at least 50 organizations in Saudi Arabia, the United States, and a range of other countries.
<https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage>
Jul 2019US Cyber Command has issued an alert via Twitter today about threat actors abusing an Outlook vulnerability to plant malware on government networks.
The vulnerability is CVE-2017-11774, a security bug that Microsoft patched in Outlook in the October 2017 Patch Tuesday.
<https://www.zdnet.com/article/us-cyber-command-issues-alert-about-hackers-exploiting-outlook-vulnerability/>
Nov 2019More than a Dozen Obfuscated APT33 Botnets Used for Extreme Narrow Targeting
<https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/>
Feb 2023Peach Sandstorm password spray campaigns enable intelligence collection at high-value targets
<https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/>
Nov 2023Microsoft: Hackers target defense firms with new FalseFont malware
<https://www.bleepingcomputer.com/news/security/microsoft-hackers-target-defense-firms-with-new-falsefont-malware/>
Apr 2024Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations
<https://www.microsoft.com/en-us/security/blog/2024/08/28/peach-sandstorm-deploys-new-custom-tickler-malware-in-long-running-intelligence-gathering-operations/>
Information<https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html>
<https://en.wikipedia.org/wiki/Elfin_Team>
MITRE ATT&CK<https://attack.mitre.org/groups/G0064/>
Playbook<https://pan-unit42.github.io/playbook_viewer/?pb=oilrig>

Last change to this card: 23 October 2024

Download this actor card in PDF or JSON format

Previous: APT 32, OceanLotus, SeaLotus
Next: APT 41

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]