Spies targeting Saudi Arabia switched tactics after Symantec exposed them, report says

APT33, also known as Elfin and Refined Kitten, "appears undeterred following previous exposés of their activity," Recorded Future said.
APT33 changed their code after a report in March. (Getty)

A cyber-espionage group widely believed to be carrying out attacks on behalf of the Iranian government resorted to new hacking tools after its malicious activity was unveiled earlier this year, according to research scheduled to be published Wednesday.

The threat intelligence company Recorded Future determined the hacking group APT33 or “a closely aligned threat actor” has used more than 1,200 web domains to conduct cyberattacks since March 28. That’s the date researchers from Symantec released findings exposing an APT33 operation that targeted 50 organizations in Saudi Arabia and the United States.

But Recorded Future also found that in the months since, APT33 apparently has resorted to new remote access trojans, which is yet another indication that suspected Iranian hackers are ramping up their activity amid ongoing international tension.

“Our research found that APT33 or a closely aligned threat actor continues to conduct and prepare for widespread cyber-espionage activity … with a strong emphasis on commodity malware,” says the report. APT33 is also known as Elfin and Refined Kitten.


“Targeting of mainly Saudi Arabian organizations across a wide variety of industries aligns with historical targeting patterns for the group, which appears undeterred following previous exposés of their activity,” Recorded Future said.

Researchers also assessed that the Nasr Institute, a known group first revealed by the U.S. security firm FireEye, is “highly likely to be an agent of the Iranian government cyber operations apparatus.” Recorded Future said the Iranian government uses organizations that masquerade as public service groups to organize hacking activity, and that the Nasr Institute is one example. FireEye previously tied the Nasr Institute to cyberattacks on the U.S. financial sector to Tehran.

Recorded Future said it has “medium confidence” the group in question recently has targeted a Saudi Arabian conglomerate involved in engineering, construction, utilities, technology, retail, aviation and finance, as well as two health care companies, and an Indian mass media firm. That “medium confidence” designation follows reports from researchers at CrowdStrike, Dragos and FireEye, all of whom told Wired magazine they have noticed an uptick in a broad phishing campaign emanating out of Iran in recent weeks.

A technical director at the U.S. National Security Agency previously told CyberScoop this uptick in activity out of the Middle East is espionage-related, rather than motivated by destruction.

Latest Podcasts