Iranian hackers have carried out some of the most disruptive acts of digital sabotage of the last decade, wiping entire computer networks in waves of cyberattacks across the Middle East and occasionally even the US. But now one of Iran’s most active hacker groups appears to have shifted focus. Rather than just standard IT networks, they’re targeting the physical control systems used in electric utilities, manufacturing, and oil refineries.
At the CyberwarCon conference in Arlington, Virginia, on Thursday, Microsoft security researcher Ned Moran plans to present new findings from the company’s threat intelligence group that show a shift in the activity of the Iranian hacker group APT33, also known by the names Holmium, Refined Kitten, or Elfin. Microsoft has watched the group carry out so-called password-spraying attacks over the past year that try just a few common passwords across user accounts at tens of thousands of organizations. That’s generally considered a crude and indiscriminate form of hacking. But over the last two months, Microsoft says APT33 has significantly narrowed its password spraying to around 2,000 organizations per month, while increasing the number of accounts targeted at each of those organizations almost tenfold on average.
Microsoft ranked those targets by the number of accounts hackers tried to crack; Moran says about half of the top 25 were manufacturers, suppliers, or maintainers of industrial control system equipment. In total, Microsoft says it has seen APT33 target dozens of those industrial equipment and software firms since mid-October.
The hackers’ motivation—and which industrial control systems they’ve actually breached—remains unclear. Moran speculates that the group is seeking to gain a foothold to carry out cyberattacks with physically disruptive effects. “They’re going after these producers and manufacturers of control systems, but I don’t think they’re the end targets,” says Moran. “They‘re trying to find the downstream customer, to find out how they work and who uses them. They’re looking to inflict some pain on someone’s critical infrastructure that makes use of these control systems.”
The shift represents a disturbing move from APT33 in particular, given its history. Though Moran says Microsoft hasn’t seen direct evidence of APT33 carrying out a disruptive cyberattack rather than mere espionage or reconnaissance, it’s seen incidents where the group has at least laid the groundwork for those attacks. The group’s fingerprints have shown up in multiple intrusions where victims were later hit with a piece of data-wiping malware known as Shamoon, Moran says. McAfee last year warned that APT33—or a group pretending to be APT33, it hedged—was deploying a new version of Shamoon in a series of data-destroying attacks. Threat intelligence firm FireEye has warned since 2017 that APT33 had links to another piece of destructive code known as Shapeshifter.
Moran declined to name any of the specific industrial control system, or ICS, companies or products targeted by the APT33 hackers. But he warns that the group’s targeting of those control systems suggests that Iran may be seeking to move beyond merely wiping computers in its cyberattacks. It may hope to influence physical infrastructure. Those attacks are rare in the history of state-sponsored hacking, but disturbing in their effects; in 2009 and 2010 the US and Israel jointly launched a piece of code known as Stuxnet, for instance, that destroyed Iranian nuclear enrichment centrifuges. In December 2016, Russia used a piece of malware known as Industroyer or Crash Override to briefly cause a blackout in the Ukrainian capital of Kyiv. And hackers of unknown nationality deployed a piece of malware known as Triton or Trisis in a Saudi Arabian oil refinery in 2017 designed to disable safety systems. Some of those attacks—particularly Triton—had the potential to inflict physical mayhem that threatened the safety of personnel inside the targeted facilities.
Iran has never been publicly tied to one of those ICS attacks. But the new targeting Microsoft has seen suggests it may be working to develop those capabilities. “Given their previous modus operandi of destructive attacks, it stands to reason that they’re going after ICS,” says Moran.
But Adam Meyers, vice president for intelligence at security firm Crowdstrike, cautions against reading too much into APT33’s newfound focus. They could just as easily be focused on espionage. “Targeting ICS could be a means to conduct a disruptive or destructive attack, or it could be an easy way to get into lots of energy companies, because energy companies rely on those technologies,” Meyers says. “They’re more likely to open an email from them or install software from them.”
The potential escalation comes during a tense moment in Iranian-US relations. In June, the US accused Iran of using limpet mines to blow holes in two oil tankers in the Strait of Hormuz, as well as shooting down a US drone. Then in September, Iran-back Houthi rebels carried out a drone strike against Saudi oil facilities that temporarily cut the country’s oil production in half.
Moran notes that Iran’s June attacks were reportedly answered in part with a US Cyber Command attackon Iranian intelligence infrastructure. In fact, Microsoft saw APT33’s password-spraying activity fall from tens of millions of hacking attempts per day to zero on the afternoon of June 20, suggesting that APT33’s infrastructure may have been hit. But Moran says that the password spraying returned to its usual levels about a week later.
Moran compares Iran’s disruptive cyberattacks to the acts of physical sabotage the US has accused Iran of carrying out. Both destabilize and intimidate regional adversaries—and the former will do so even more if their hackers can graduate from mere digital effects to physical ones.
“They’re trying to deliver messages to their adversaries and trying to compel and change their adversaries’ behavior,” Moran says. “When you see a drone attack on an extraction facility in Saudi Arabia, when you see tankers being destroyed … My gut says they want to do the same thing in cyber.”