ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > APT 33, Elfin, Magnallium

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: APT 33, Elfin, Magnallium

NamesAPT 33 (Mandiant)
Elfin (Symantec)
Magnallium (Dragos)
Holmium (Microsoft)
ATK 35 (Thales)
Refined Kitten (CrowdStrike)
TA451 (Proofpoint)
CountryIran Iran
SponsorState-sponsored
MotivationInformation theft and espionage, Sabotage and destruction
First seen2013
Description(FireEye) When discussing suspected Middle Eastern hacker groups with destructive capabilities, many automatically think of the suspected Iranian group that previously used SHAMOON – aka Disttrack – to target organizations in the Persian Gulf. However, over the past few years, we have been tracking a separate, less widely known suspected Iranian group with potential destructive capabilities, whom we call APT33. Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013. We assess APT33 works at the behest of the Iranian government.

APT33 has targeted organizations – spanning multiple industries – headquartered in the United States, Saudi Arabia and South Korea. APT33 has shown particular interest in organizations in the aviation sector involved in both military and commercial capacities, as well as organizations in the energy sector with ties to petrochemical production.

APT 33 seems to be closely related to OilRig, APT 34, Helix Kitten, Chrysene since at least 2017.
ObservedSectors: Aviation, Defense, Education, Energy, Financial, Government, Healthcare, High-Tech, Manufacturing, Media, Petrochemical and others.
Countries: Iran, Iraq, Israel, Saudi Arabia, South Korea, UK, USA.
Tools usedAutoIt backdoor, DarkComet, DistTrack, EmpireProject, Filerase, JuicyPotato, LaZagne, Mimikatz, NanoCore RAT, NetWire RC, PoshC2, PowerBand, PowerSploit, POWERTON, PsList, PupyRAT, QuasarRAT, RemcosRAT, Ruler, SHAPESHIFT, StoneDrill, TURNEDUP, Living off the Land.
Operations performedMar 2019Attacks on Multiple Organizations in Saudi Arabia and U.S.
The Elfin espionage group (aka APT33) has remained highly active over the past three years, attacking at least 50 organizations in Saudi Arabia, the United States, and a range of other countries.
<https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage>
Jul 2019US Cyber Command has issued an alert via Twitter today about threat actors abusing an Outlook vulnerability to plant malware on government networks.
The vulnerability is CVE-2017-11774, a security bug that Microsoft patched in Outlook in the October 2017 Patch Tuesday.
<https://www.zdnet.com/article/us-cyber-command-issues-alert-about-hackers-exploiting-outlook-vulnerability/>
Nov 2019More than a Dozen Obfuscated APT33 Botnets Used for Extreme Narrow Targeting
<https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/>
Information<https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html>
<https://en.wikipedia.org/wiki/Elfin_Team>
MITRE ATT&CK<https://attack.mitre.org/groups/G0064/>
Playbook<https://pan-unit42.github.io/playbook_viewer/?pb=oilrig>

Last change to this card: 22 April 2020

Download this actor card in PDF or JSON format

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key