Iran’s elite hacking group is upping its game, according to new evidence delivered at a cybersecurity conference this week. The country’s APT33 cyberattack unit is evolving from simply scrubbing data on its victims’ networks and now wants to take over its targets’ physical infrastructure by manipulating industrial control systems (ICS), say reports.
APT33, also known by the names Holmium, Refined Kitten, or Elfin, has focused heavily on destroying its victims’ data in the past. Now though, the group has changed tack according to Ned Moran, principal program manager at Microsoft, who spoke at the CYBERWARCON conference in Arlington, Virginia on Thursday. Moran, who is also a fellow with the University of Toronto’s Citizen Lab focusing on security and information technologies, focuses on identifying and disrupting state-sponsored attackers in the Middle East.
The APT33 group is closely associated with Shamoon malware that wipes data from its targets’ systems. Experts have also warned of other tools in the group’s arsenal, including a data destruction tool called StoneDrill and a piece of backdoor software called TURNEDUP.
Moran said that APT33 used to use ‘password spraying’ attacks, in which it would try a few common passwords on accounts across lots of organizations. More recently, though, it has refined its efforts, ‘sharpening the spear’ by attacking ten times as many accounts per organisation while shrinking the number of organisations it targets. It has also focused heavily on ICS manufacturers, suppliers and maintainers, Moran said.
Of course Iran isn’t the only country accused of using malware to target and subvert industrial control systems. US-CERT has previously warned that groups “active in benefiting” both Russia and North Korea have been taking aim at US critical infrastructure.
The USA has itself been accused of quietly planting malware throughout Russia’s energy networks in response to years of Russian attacks on its own power grid.
Perhaps most famously though, the USA was implicated in the Stuxnet malware attack against industrial control systems in Iran, at the beginning of the decade. The malware, widely thought to be the work of the USA and Israel, was introduced into Iran’s Natanz nuclear plant via infected USBs. It apparently succeeded in its aim of sabotaging Iran’s nuclear program by damaging its centrifuges, before an error caused the malware to spread beyond its intended target.
More recently, the US admitted to a retaliatory cyberattack against Iran following allegations that the middle-eastern country shot down US drones and interfered with oil tankers during the summer.
It’s not difficult to see why industrial control systems are a tempting target for groups looking to cause maximum disruption.
It’s easy to see why industrial control systems are such a dangerous target and US cybersecurity chiefs have been warning of a potential “digital Pearl Harbor” for almost 20 years.
The problem of putting up adequate defences has been compounded by a historical lack of attention to security. Writing in 2016, Naked Security’s Chester Wisniewski described how history had caught up with industrial control systems designed for an earlier, less-connected age:
Much of the risk in ICS systems stems from operators taking devices never intended to be used on a public network and connecting them to the internet. ICS vendors always seem to warn customers that this isn’t meant to be put online, but we need to acknowledge those days are over.
We need to design for the worst case and assume that the days of deploying an air gap are the exception, not the rule.