Elfin Hacking Group Targets Multiple U.S. and Saudi Arabian Firms

An Iran-linked cyber-espionage group that has been found targeting critical infrastructure, energy and military sectors in Saudi Arabia and the United States two years ago continues targeting organizations in the two nations, Symantec reported on Wednesday.

Widely known as APT33, which Symantec calls Elfin, the cyber-espionage group has been active since as early as late 2015 and targeted a wide range of organizations, including government, research, chemical, engineering, manufacturing, consulting, finance, and telecommunications in the Middle East and other parts of the world.

Symantec started monitoring Elfin’s attacks since the beginning of 2016 and found that the group has launched a heavily targeted campaign against multiple organizations with 42% most recent attacks observed against Saudi Arabia and 34% against the United States.

Elfin targeted a total of 18 American organizations in the engineering, chemical, research, energy consultancy, finance, IT and healthcare sectors over the past three years, including a number of Fortune 500 companies.

“Some of these U.S. organizations may have been targeted by Elfin for the purpose of mounting supply chain attacks,” Symantec said in its blog post. “In one instance, a large U.S. company was attacked in the same month a Middle Eastern company it co-owns was also compromised.”

Hackers Still Exploiting Recently Discovered WinRAR Flaw

The APT33 group has also been exploiting a recently disclosed, critical vulnerability (CVE-2018-20250) in the widely used WinRAR file compression application that lets attackers silently extract malicious files from a harmless archive file to a Windows Startup folder, eventually allowing them to execute arbitrary code on the targeted computer.

The vulnerability was already patched by the WinRAR team last month but was found actively exploited by various hacking groups and individual hackers immediately after its details and proof-of-concept (PoC) exploit code went public.

In the APT33 campaign, the WinRAR exploit was used against a targeted organization in the chemical sector in Saudi Arabia, where two of its users received a file via a spear-phishing email that attempted to exploit the WinRAR vulnerability.

Though Symantec is not the only firm that spotted attacks exploiting the WinRAR flaw, security firm FireEye also identified four separate campaigns that have been found exploiting the WinRAR vulnerability to install password stealers, trojans and other malicious software.

What’s more? APT33 has deployed a wide range of tools in its custom malware toolkit including the Notestuk backdoor (aka TURNEDUP), the Stonedrill Trojan and a malware backdoor written in AutoIt.

Besides its custom malware, APT33 also used several commodity malware tools, including Remcos, DarkComet, Quasar RAT, Pupy RAT, NanoCore, and NetWeird, along with many publicly available hacking tools, like Mimikatz, SniffPass, LaZagne, and Gpppassword.

APT33/Elfin Links to Shamoon Attacks

In December 2018, the APT33 group was linked to a wave of Shamoon attacks targeting the energy sector, one of which infected a company in Saudi Arabia with the Stonedrill malware used by Elfin.

“One Shamoon victim in Saudi Arabia had recently also been attacked by Elfin and had been infected with the Stonedrill malware used by Elfin. Because the Elfin and the Shamoon attacks against this organization occurred so close together, there has been speculation that the two groups may be linked,” Symantec said.

“However, Symantec has found no further evidence to suggest Elfin was responsible for these Shamoon attacks to date. We continue to monitor the activities of both groups closely.”

In late 2017, cybersecurity company FireEye said it found evidence that APT33 works on behalf of the Iranian government, and that the group has successfully targeted aviation sector—both military and commercial—along with organizations in the energy sector.

Symantec described APT33 as “one of the most active groups currently operating in the Middle East” targeting a diverse range of sectors, with “willingness to continually revise its tactics and find whatever tools it takes to compromise its next set of victims.”