APT33 has used botnets to infect targets in the U.S. and Middle East, researchers say

The Iranian hackers also set up their own virtual private network with “exit nodes" that change frequently, according to Trend Micro.
The Thanos ransomware used in the attacks has gained traction on underground forums (Getty Images).

An Iranian government-linked hacking group has in the last year been using small clusters of hijacked computers to infect a handful of targets that include a U.S. national security firm and a university, researchers said Thursday.

The Iranian group, dubbed APT33, is using the botnets — groups of computers commandeered by attackers — in “extremely targeted malware campaigns against organizations in the Middle East, the U.S., and Asia,” cybersecurity company Trend Micro said.

Botnets are often comprised of a large number of machines. But in this case, the Iranian hackers are using just a dozen computers per botnet to deliver their malware and get persistent access on a network, according to the researchers.

The Iranian hackers also set up their own virtual private network with “exit nodes” that change frequently, Trend Micro said. The researchers say they have been tracking those VPN nodes for over a year, but the group has likely used them for longer.


APT33 is using some of those IP addresses to do “reconnaissance on the network of an oil exploration company and military hospitals in the Middle East, as well as an oil company in the U.S.,” the researchers wrote in a blog.

APT33 is one of multiple well-resourced hacking groups researchers say are working on behalf of Iran’s interests. APT33 has vigorously gone after targets in Saudi Arabia and “a number of Fortune 500” companies in the U.S., cybersecurity company Symantec said in March.

The latest findings on APT33, which is also known as Elfin, shine new light on the group’s infrastructure and how it uses it.

The Iranian hackers are using their VPN network to access the websites of penetration-testing firms and sites related to cryptocurrencies, according to Trend Micro.  “APT33 also has a clear interest in websites that specialize in the recruitment of employees in the oil and gas industry,” they wrote.

The group has been willing to take over high-profile victim’s infrastructure for long periods of time. For at least two years, the hackers used the website of a prominent European politician to send spearphishing lures to companies in the oil-industry supply chain, Trend Micro said. Among the targets of those malicious emails was a water facility used by the U.S. army.


At least some of the lures APT33 sent from the European politician’s website were effective, the researchers added. Last year, a Britain-based oil company’s computer server was communicating with one of APT33’s servers, indicating an infection.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts