APT33: Iran's Evolving Cyber Espionage and Destructive Capabilities
- Suspected Origin
- Iran
- Motivation
- Espionage, Economic Influence, Strategic Intelligence, Potential Destruction
- Aliases
- HOLMIUM, Elfin, Peach Sandstorm
- Target Sectors
- Aerospace, Energy, Defense, Government, Petrochemical, Satellite, Chemical, Engineering, Manufacturing, Finance, Telecommunications, Research
- Associated Malware
- TURNEDUP, SHAPESHIFT (STONEDRILL), DROPSHOT, Tickler, FalseFont, PoshC2, Remcos, DarkComet, Quasar RAT, Pupy RAT, Mimikatz, Ruler, Shamoon
Overview
APT33, also tracked as HOLMIUM, Elfin, and Peach Sandstorm, is a sophisticated and persistent Iranian state-sponsored threat group that has been operational since at least 2013. This group, identified by its MITRE ATT&CK ID G0064, is widely assessed to operate at the behest of the Iranian government, with strong suspected links to the Islamic Revolutionary Guard Corps (IRGC). Their primary objective centers on strategic espionage, aiming to steal intellectual property, sensitive data, and technical specifications that directly benefit Iran’s military and economic ambitions. This includes enhancing domestic aviation capabilities, expanding petrochemical production, and gaining insights into regional military and strategic decision-making.
While APT33 is primarily known for espionage, the group also possesses and has historically demonstrated a latent, yet potent, destructive capability, evidenced by its association with wiper malware like SHAPESHIFT (STONEDRILL) and, by some accounts, the infamous Shamoon. This dual capability suggests that compromised organizations face risks beyond data theft, including potential data destruction, especially during periods of elevated geopolitical tension. APT33’s targeting is highly focused, consistently concentrating on critical infrastructure sectors such as aerospace (both military and commercial), defense, and energy (petrochemicals, oil refining). Geographically, their operations frequently target organizations in the United States, Saudi Arabia, South Korea, and more recently, have expanded to include countries like Australia and the UAE.
Tactics & Techniques
APT33’s operational playbook has continuously evolved, transitioning from traditional network-based attacks to a more sophisticated, “Cloud-First” attack model in recent years. Historically, their initial access was heavily reliant on spear phishing campaigns, often employing recruitment-themed lures to entice victims. These emails typically contained malicious HTML Application (.hta) files or weaponized Microsoft Office documents with macros that, when opened, would download custom backdoors. They also utilized links to credential harvesting pages, often impersonating legitimate entities like Boeing or Saudi Arabian aviation companies.
In addition to phishing, APT33 has shown a consistent tendency to exploit known vulnerabilities in widely used software. Notable instances include exploiting CVE-2018-20250 in WinRAR and CVE-2017-11774 in Microsoft Outlook to achieve code execution or deploy malware. For privilege escalation, they have leveraged vulnerabilities such as CVE-2017-0213 and utilized valid administrative credentials obtained through various means.
A significant shift in their tactics, particularly since 2023, involves large-scale password spraying campaigns against cloud services like Microsoft 365 and Azure Active Directory. This technique allows them to bypass traditional perimeter defenses by directly targeting the identity layer, often using distinct user agents like ‘go-http-client’. Once initial access is gained, persistence is maintained through various methods, including modifying Registry Run keys, deploying tools to startup folders, creating scheduled tasks, and establishing WMI event subscriptions. They have also used legitimate remote monitoring and management (RMM) tools like AnyDesk. For internal reconnaissance, tools like AD Explorer have been observed for Active Directory snapshots. Command and Control (C2) infrastructure has evolved, initially relying on custom backdoors over HTTP, but more recently abusing legitimate cloud platforms like Microsoft Azure to blend C2 traffic with normal corporate cloud activity, making detection significantly harder. Data exfiltration often involves compressing files with tools like WinRAR before transferring them via FTP or C2 channels.
Notable Campaigns
APT33 has a long history of impactful campaigns aligning with Iran’s strategic interests. A significant period of activity occurred from mid-2016 through early 2017, where the group aggressively targeted the aerospace and aviation sectors in the United States and Saudi Arabia, alongside petrochemical firms in South Korea. These campaigns frequently employed spear phishing with recruitment-themed lures, delivering custom backdoors like TURNEDUP.
The 2017-2018 timeframe saw APT33 pivot to focus on the engineering industry, showcasing a tactical evolution by leveraging stolen credentials and exploiting known vulnerabilities (e.g., CVE-2017-11774) to compromise victims’ email clients. In February 2019, the group was observed targeting a Saudi Arabian chemical company with spear phishing that exploited CVE-2018-20250 in compressed files. Later that year, from mid-June to October 2019, APT33 conducted extensive password spraying campaigns against cloud-hosted infrastructure across various industries and used spoofed U.S. defense contractor domains in spear phishing operations.
A critical aspect of APT33’s history is its association with Shamoon-style destructive attacks. While direct, definitive attribution can be complex and vary by reporting vendor, APT33 has been linked to the DROPSHOT dropper, which has been observed delivering the SHAPESHIFT wiper malware. SHAPESHIFT (aka STONEDRILL) is capable of wiping master boot records and destroying data, a capability that aligns with the destructive nature of Shamoon attacks against Saudi energy sector targets.
More recently, APT33 has demonstrated a significant strategic evolution, with campaigns in 2023 and 2024 characterized by a “Cloud-First” approach. These recent operations involved extensive password spraying against thousands of organizations globally, including those in the defense, satellite, pharmaceutical, and government sectors. A notable tactic in 2024 involved the exploitation of Microsoft Azure, where APT33 compromised educational institution accounts to create fraudulent Azure tenants for Command and Control (C2) infrastructure, significantly enhancing their stealth and evasion capabilities. During this period, new custom backdoors like ‘Tickler’ were also deployed against satellite operators and communications equipment manufacturers.
Associated Malware & Tools
APT33 employs a diverse arsenal comprising both custom-developed malware and readily available commercial or open-source tools.
Key custom malware includes:
- TURNEDUP: A versatile backdoor capable of downloading and uploading files, gathering system information, and establishing reverse shells.
- SHAPESHIFT (STONEDRILL): Another backdoor, notable for its integrated data-wiping capability that can clear the master boot record (MBR) of infected systems.
- DROPSHOT: A dropper primarily used to deploy other custom tools like TURNEDUP and SHAPESHIFT.
- Tickler and FalseFont: More recent custom backdoors observed in 2024 campaigns, indicating ongoing development and investment in their toolset for stealth and persistence in high-value networks.
Their use of commodity and publicly available tools is extensive and designed to blend in with legitimate network activity:
- Remote Access Trojans (RATs): PoshC2, Remcos, DarkComet, Quasar RAT, Pupy RAT, Netwire, njRAT, RevengeRAT.
- Credential Dumping/Harvesting Tools: Mimikatz, Procdump, LaZagne, SniffPass, Gpppassword.
- Email Client Manipulation: Ruler, a lesser-known tool for interacting with Exchange servers and manipulating Outlook features for malicious purposes.
- Post-Exploitation Frameworks: PowerShell Empire.
- Utility Tools: WinRAR (for data compression), AnyDesk (for remote management), AD Explorer (for Active Directory reconnaissance), ALFA TEaM Shell (ALFASHELL).
- Wiper Malware: Shamoon (attributed by some researchers).
Current Status
APT33 remains an active and highly adaptable threat actor. The group has consistently demonstrated its capacity to evolve its tactics, techniques, and procedures (TTPs), moving beyond traditional spear phishing to embrace sophisticated cloud-based attack models. Recent intelligence, particularly from 2023 and 2024, highlights a significant escalation in its operational sophistication, characterized by widespread password spraying and the abuse of legitimate cloud infrastructure like Microsoft Azure for command and control.
This ongoing evolution, coupled with the continuous development of new custom malware such as Tickler and FalseFont, solidifies APT33’s position as one of Iran’s most effective and enduring state-sponsored cyber espionage groups. Organizations in the targeted sectors, particularly aerospace, energy, and defense, should consider APT33 an ongoing and serious threat, requiring a proactive and adaptive defense posture, especially concerning cloud security and identity management.
Related content
Molerats (G0021): Persistent Cyber Espionage in the Middle East
Adversary ProfileMagic Hound (G0059) Threat Profile: Iran's Persistent Cyber Espionage
Adversary ProfileNigerian BEC Syndicate: SilverTerrier (G0083) Threat Profile
Adversary ProfileCleaver (G0003): Iranian APT Targeting Critical Infrastructure
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call