Inside The Shadowy World Of Iranian Cyber Espionage Group APT33

Several of the most threatening cybercrime groups today carry the inside industry name of “APT.” APT stands for Advanced Persistent Threat, and an advanced persistent threat (APT) is a clandestine type of cyberattack or group that uses APT techniques in which the attacker gains and maintains unauthorized access to a targeted network and remains undetected for a significant period of time. During the time between infection and remediation, the hacker will often monitor, intercept, and relay information and sensitive data. APTs often use social engineering tactics or exploit software vulnerabilities in organizations with high value information.

Despite having similar names, each “APT” group is distinct with separate history, tactics, and targeting. In our hacker series, we already covered APT 28 (Fancy Bear) and APT 10 (Stone Panda). Today, we focus on APT33.

Who is APT33

APT33, also known as Elfin, is a cyber espionage group operating since at least 2013. APT33 is believed to operate out of the geographic boundaries of the Islamic Republic of Iran and has been linked to attacks on targets in the Middle East, Europe, and the United States. The group’s focus is on gathering intelligence on organizations in the aerospace, energy, and petrochemical sectors, as well as on government agencies and academic institutions.

Sophisticated International Threat

APT33 is significant because its tactics are highly sophisticated and involve the use of custom-built malware and advanced social engineering. The group typically gains access to targets through spear-phishing emails, exploiting vulnerabilities in software, or using stolen login credentials. Once inside a network, APT33 will often spend months or even years mapping out an organization’s systems and stealing sensitive data before exfiltrating it back to its command-and-control servers.

One of the most concerning aspects of APT33’s operations is its use of “watering hole” attacks, which involve compromising a website known to be frequented by a particular group of users. This allows APT33 to infect the computers of its intended targets without the need for spear-phishing emails or other direct methods of attack.

APT33 Targets Matter

While APT33 could conceivably target companies in any industry, a key characteristic of this group’s operations is its focus on specific industries and sectors, particularly those related to aerospace, energy, and petrochemicals. This furthers the evaluation that the group is working on behalf of the Iranian government or the Iranian Republican Guard, working to acquire sensitive technology and intelligence to further its geopolitical goals. Organizations operating in these industries should remain vigilant, and take steps to review sign-in and behavior logs, research threats and anomalies, and sweat the “small stuff” that might be tied to this specific threat group.

The Critical Importance of Understanding This Enemy

It cannot be overstated that cybersecurity enemies are continually evolving and becoming more sophisticated in their tactics and approaches. This makes the challenge of keeping pace more difficult for organizations. However, by understanding the tactics and motivations of cybercriminals it is possible for companies to stay ahead of potential threats and develop effective defense strategies. For example:

  • Understanding cybersecurity enemies can help companies identify potential vulnerabilities, capability gaps, and weaknesses in their security infrastructure.
  • Analyzing past cyberattacks and understanding the motivations behind them allows companies to anticipate potential attacks and take proactive, preventative measures. These can include implementing additional security such as firewalls or intrusion detection systems, or training employees to recognize and avoid common phishing attacks.
  • Understanding cybersecurity enemies can help companies respond more effectively to attacks when they do occur and empower them to develop effective incident response plans to minimize the damage caused by an attack and quickly restore systems and data.

There’s Always More To Do

Organizations face an increasing risk from cybercriminals like APT33, who use advanced tactics to exploit vulnerabilities and compromise digital assets. To safeguard their digital estate and data from such threats, businesses must adopt a multi-layered cybersecurity approach and seek the guidance of security experts. One such expert partner is a Managed Security Services Provider (MSSP) who can offer expertise, technology, and infrastructure to address their security needs, while simultaneously reducing the complexity and cost of managing security in-house.

As cybercriminals continue to evolve and become more sophisticated, it is critical to understand their approaches and motivations. By analyzing past cyberattacks MSSPs can anticipate future attacks and take proactive measures against them. This can include anything from firewalls or intrusion detection systems, to implementing tools like Machine Learning and Artificial Intelligence to recognize common phishing attacks or threat hunting. MSSPs have a unique perspective on the threat landscape, as they manage thousands of customers and see threat vectors and attacks ahead of what a single enterprise can see.

Ultimately, the best defense against APT33 and other advanced, persistent threats is a proactive and collaborative approach to cybersecurity informed by a deep understanding of the threat landscape. With the right combination of advanced technology, regular employee training, heightened awareness of potential risks, and partnership with an MSSP, organizations can mitigate the threat of these rogue and dangerous APT groups.

This article was originally published in Forbes, please follow me on LinkedIn.

The REvil Gang Story: The “Good Guys” Can Still Prevail

Out of all the cybercrime gangs out there, mention the name “REvil” and you will get a palpable response based on the threat this notorious Russian-based group posed. REvil, also known as Sodinokibi, was a notorious ransomware gang that was active from at least April 2019 until (officially) it was dismantled in January 2022. Leading up to its demise, REvil became one of the most successful and damaging cybercrime syndicates in the world. The group was responsible for some of the most high-profile ransomware attacks in recent history.

Ruthless REvil

In May 2021, REvil was found to behind the attacks on JBS and Colonial Pipeline, which disrupted operations at poultry and pork processing plants across the world and resulted in fuel shortages in the southeastern United States. In July 2021 they targeted Kaseya, a software company that provides IT services to thousands of businesses around the world. The attack impacted an estimated 1,500 companies in total.

Needless to say, REvil’s methods were sophisticated and highly effective. The group typically gained access to targets through spear-phishing emails, exploiting vulnerabilities in software, or using stolen login credentials. Once inside a network, REvil actors would spend weeks, or even months, mapping out the organization’s systems and stealing sensitive data before launching a ransomware attack.

The consequences of REvil attacks were devastating for the industry and enterprises they affected. The group’s ransom demands were often in the millions, and paying the ransom provided no guarantee data would be restored. Even worse, REvil was among the hacker groups that went beyond “normal” ransomware attacks and exfiltrated data before encrypting it. This means that if the victim pays the ransom, the attackers may still leak stolen data or use it for future attacks.

The End of REvil

Thankfully, beginning in mid-2021 the wheels started to come off for REvil until eventually they were stopped. Initially, REvil seemed to remove their sites and infrastructure from the internet. Then, bit by bit, community-based efforts helped undo the damage they had inflicted through open decryption tools. This subverted their trusted position in underground communities, and ultimately, a joint, multinational effort disrupted the group’s networks, servers, and backups. In a matter of weeks, indictments and arrests were announced.

A Tale of Victory

The REvil episode is a tale of victory that showed it’s possible to conquer a sophisticated and dangerous hacker group, and also illustrated how. REvil’s story showcased some important steps law enforcement agencies can take to help combat cybercrime:

  • Collaborate: One of the most important steps law enforcement agencies can take is to collaborate with other agencies, both international and domestic. By working together, law enforcement agencies can pool resources and share information to track down and apprehend groups.
  • Develop Intelligence: This involves gathering information on a group’s activities, methods of attack, and members. Law enforcement agencies can use a variety of methods to gather intelligence, including monitoring online forums and social media, conducting interviews with suspects, and using forensic analysis to gather digital evidence.
  • Legal Tooling: Law enforcement agencies can use a range of legal tools to stop hacker groups. For example, they can obtain warrants to search suspects’ computers and devices, and use wiretaps to monitor communications. Additionally, forfeiture laws can be used to seize assets that were obtained through illegal means.
  • Increase Awareness: Another important step is to increase awareness of cybercrime and its consequences. Law enforcement agencies can work with businesses and organizations to ensure they understand the risks.
  • Invest in Security Services: A recent Gartner survey shows the majority of organizations are pursuing security vendor consolidation in 2022. This trend indicates that organizations are looking to simplify their security infrastructure and streamline security operations. Consolidation can help organizations reduce costs, improve security effectiveness, and increase operational efficiency. By reducing the number of security vendors and products, organizations can focus their resources on a smaller set of solutions and better integrate their security tools. This approach can also help organizations improve visibility into their security posture, as well as better manage and respond to security incidents.

Fighting back against criminal cyberhacker groups is a formidable, challenging mission, but not an impossible one. Ultimately, the fight against cybercrime requires a multi-faceted approach that involves both law enforcement agencies and other stakeholders working together.

A Stark Reminder

The REvil gang serves as a stark reminder of the ongoing threat posed by cybercrime – and the importance of being proactive in our fight against it. It is crucial that law enforcement agencies, businesses, and individuals work together to combat cybercrime and protect ourselves from its devastating consequences.

As IT professionals and executives, we have a responsibility to do our part in this fight. We must prioritize cybersecurity measures and educate our employees about the risks of cybercrime. We should be willing to collaborate and share information with others in our industry, as well as law enforcement agencies, to stay ahead of emerging threats.

While the fight against cybercrime may seem daunting, the demise of the REvil gang is a testament to the power of collaborative efforts and a multi-faceted approach. By working together and leveraging technology, we can prevail against even the most sophisticated and dangerous cybercriminals. In the end, it is up to us to stay vigilant and take action to protect ourselves, our businesses, and our communities.

This article was originally published in Forbes, please follow me on LinkedIn.

Turla Hacking Group: A Persistent International Threat

As we continue our series of articles on state-sponsored cyberattack groups, we turn our focus to the Russia-affiliated Turla hacking group. In previous articles, we examined some of the biggest threats on the cyberattack scene, including APT10 and APT28 (also known as Fancy Bear). These notorious groups are a lurking presence, and Turla is no exception. Active for over a decade, the Turla hacking group is believed to be operating out of Russia and closely affiliated with the FSB, the Russian intelligence agency and successor to the KGB. It is also known by the names “Waterbug” and “Venomous Bear,” and has been linked to numerous high-profile cyberattacks on government agencies, embassies, and organizations around the world.

Destructive Path

Turla has been linked to 45 high-profile attacks, including the German Bundestag in 2014, the Ukrainian Parliament in 2014, and the French TV5 Monde in 2015. The group also targets organizations in the Middle East, particularly in the energy sector. Turla’s use of sophisticated methods and its focus on government and diplomatic targets has led experts to believe the group is working on behalf of the Russian government, although this has yet to be definitively proven.

Methods of Mayhem

Turla is known for using a variety of tactics to compromise networks, including “living off the land” tactics, watering hole attacks, spear-phishing emails, and compromised satellite connections. The group also uses publicly available tools like Metasploit and PowerShell, as well as Command and Control (C2) infrastructure like Google Drive and Dropbox. One of Turla’s primary tactics is the use of “second-stage” malware, which is activated after a victim’s initial infection and used to establish a backdoor into the network. From there, the group can steal sensitive information and move laterally within the network to gain access to other systems.

Turla is especially dangerous due to its use of advanced, next-level tactics. In recent years, the group has been observed using a unique malware called “Turla” or “KRYPTON” that can steal data from air-gapped computers not connected to the internet. The malware uses “audio exfiltration” to transmit data using the computer’s speakers and microphones. The group is extremely sophisticated and can evade detection for long periods of time. In 2014, for example, Turla maintained a foothold in a European government agency’s network for over two years before being discovered.

Wrestling A Bear

Turla is a highly sophisticated and persistent hacking group that has been known to target a wide range of organizations around the world. Without the right tools and partnership, defending against Turla is like wrestling a bear. The group’s use of highly sophisticated second-stage malware and its ability to evade detection make it a formidable threat, and one that organizations should be aware of and take immediate steps to protect against. This includes implementing robust comprehensive security measures such as multi-factor authentication, intrusion detection and prevention systems, and regular security training for employees. Equally as important, organizations should be vigilant in monitoring their networks for signs of compromise and should take prompt action if suspicious activity is detected. Partnering with managed security providers can bring valuable expertise, resources, and technology to those looking to defend against the threat posed by Turla and similar groups. These providers can offer expert round-the-clock monitoring, incident response, and threat intelligence to help organizations stay ahead of the constantly evolving threat landscape.

This article was originally published in Forbes, please follow me on LinkedIn.

APT28 Aka Fancy Bear: A Familiar Foe By Many Names

We are looking at the biggest threats on the cybersecurity scene – and the most nefarious hacker groups behind them – and this week the spotlight turns to APT28, or Fancy Bear. Don’t let the name fool you. There is nothing cute about Fancy Bear, also known as APT28, Pawn Storm, Sednit, STRONTIUM, and Sofacy. Just like John Wick is known in the Russian underworld as ‘Baba Yaga,’ this group has Russian roots and probably has additional names on that scene.

A Big Name Among Big Names

APT28 is a notorious cyber espionage group that has been active since at least 2007. APT28 has been known to target governments, military organizations, and other high-value targets in various countries using their signature techniques. The group has been linked to several high-profile cyberattacks, including the alleged 2016 US presidential election hack and the 2017 NotPetya malware attack.

One of the most notable campaigns associated with APT28 is the 2016 hack of the Democratic National Committee (DNC) in the United States. This attack resulted in the theft of sensitive emails and other information that were later leaked to the public and was seen as an attempt to interfere with the US presidential election. It was widely condemned. More recently, CISA said it discovered the Russian hacking group had infiltrated a satellite communications provider with critical infrastructure customers.

A Profile in Malice

APT28 is considered to be a highly sophisticated and well-funded state-sponsored group backed by the Russian government. The group has been the subject of several high-profile reports and warnings from cybersecurity companies and government agencies, including the US Department of Homeland Security. It targets governments, military organizations, media, research, and private sector companies for the purpose of gathering intelligence, stealing sensitive information, and criminal financial gain.


APT28 is known for its use of advanced malware and hacking techniques to gain access to its targets’ networks. In addition to using advanced malware and spear-phishing tactics, the group is also known for using “watering hole” attacks, where it infects websites that are known to be frequented by targets. It also uses “living-off-the-land” tactics, whereby the group utilizes legitimate tools and infrastructure already present on a victim’s network in order to move laterally and evade detection.

APT28 is known for using a variety of command and control (C2) infrastructure to communicate with its malware and to exfiltrate stolen data. This infrastructure often uses a combination of different protocols, such as HTTP and DNS, making it difficult to detect and block. One of the group’s most well-known tools is Sednit, which has been used in several APT28 campaigns. Sednit is a sophisticated piece of malware that can steal sensitive information and maintain a persistent presence on a victim’s network.

The group also uses spear-phishing campaigns to target specific individuals and gain access to their networks. These campaigns often use social engineering tactics, such as sending emails that appear to be from a trusted source, to trick victims into clicking on malicious links or attachments.

Defending Against APT28

Organizations can protect themselves against APT28 and other advanced threat actors by implementing strong cybersecurity measures. These include:

  • Partnerships with reputable Managed Security Providers (MSSPs)
  • Regular software updates and patching
  • Employee education and training on security best practices
  • Incident response plans
  • Managed and comprehensive security monitoring and mitigation
  • Immediate action in the case of suspected breaches

APT28 is one of the most serious threats in existence today, and it’s important for organizations and individuals to be aware of its tactics in order to better protect themselves from attacks.

This article was originally published in Forbes, please follow me on LinkedIn.

Spotlight on APT10

To kick off our series highlighting the most notorious and dangerous hacker groups in the industry today, we will focus on a group called APT10. APT10, also known as Stone Panda or Red Apollo, is a state-sponsored Chinese hacking group that has been active since at least 2009. The group targets a wide range of organizations including government agencies, military organizations, and businesses in various industries. 

Who is APT10 

APT10 is not a standalone group, but part of a larger Chinese cyber espionage campaign known as Operation Cloud Hopper, which targets managed service providers (MSPs) to gain access to their clients’ networks. In 2018, two Chinese nationals associated with the Chinese Ministry of State Security (MSS) were indicted by the US Department of Justice for their role in APT10’s cyber espionage activities. This was a significant development in the ongoing effort to combat state-sponsored cyber attacks. 

APT10 Aims High 

APT10 knows no boundaries when it comes to attacks. For example, one of the group’s most notable campaigns was in 2014 when it targeted the US Office of Personnel Management (OPM) and stole the personal information of over 21 million government employees. This was considered one of the largest breaches of federal government data in US history. 

APT10 is also known for its focus on intellectual property theft, particularly of sensitive business and technological information. APT10 is believed to have targeted multiple organizations in the aerospace, defense, and energy sectors, as well as technology and engineering fields. Because of this targeting and the exfiltration of data, this group poses a significant national threat, especially from the Chinese state. 

Methods of APT10 Attacks 

APT10’s use of advanced techniques such as custom malware and spear-phishing campaigns make the group technically unique. They use a variety of tools and techniques to infiltrate and maintain access to target networks, including remote access trojans (RATs) and web shells. 

In addition, APT10 uses the technique of “living off the land” to evade detection and maintain access to target networks. This involves using legitimate tools and processes already present on a system, rather than introducing new malware or other malicious software. 

APT10 also uses “watering hole” attacks, where the group compromises a website likely to be visited by its intended targets in order to infect their systems with malware or steal sensitive information. This technique allows the group to focus on the most valuable targets. 

In recent years, APT10 has been observed using various malware families such as PlugX, Quasar, and RedLeaves. These malware families are used to establish a foothold on a target network and gain persistence. The group has also been known to use infrastructure leased from legitimate, but unaware, hosting providers, making it difficult to trace the origin of the attack. 

Preparing for APT10 

It is difficult to prepare for APT10’s attacks due to the limitless cloud and datacenter perimeters. The best approach is to be aware and implement multiple layers of security.  

With the growing number of cyber-attacks and concern about state-sponsored hacking groups like APT10, organizations need to take a proactive approach to protection. This includes implementing strong and comprehensive full-stack security measures such as managed firewalls, intrusion detection and prevention systems, and regular updates to software and systems. Most importantly, professional 24×7 active technical monitoring is a necessity for a well-protected computing system environment. 

Organizations can take several steps to protect themselves against APT10 and other state-sponsored hacking groups: 

  • Implement strong security measures: This includes using fully managed firewalls from a trusted third party, fully managed intrusion detection, end point protection and prevention systems, and regularly updating software and systems. 
  • Technical monitoring: Active technical monitoring is critical to a well-protected environment. Organizations should partner with a trusted managed security operations center provider to gain access to tools and techniques that detect unusual network activity and potential threats. 
  • Incident response plans: Organizations should have incident response plans in place, including procedures to minimize damage and a team or partner ready to respond quickly to an attack. 
  • Awareness and education: Employees should be trained on the importance of cybersecurity and how to detect and report suspicious activities. 
  • Partner with security experts: Organizations can partner with security experts familiar with numerous threats across industries, and leverage their knowledge and experience to stay ahead of threat actors. 
  • Use multiple layers of security: With the increasing number of cyber attacks, organizations need to use multiple layers of security including network security, endpoint security, and application security. 
  • Regularly assess and update security measures: Organizations should regularly assess and update their security and compliance measures to stay ahead of the latest threats. 

A Significant Threat 

That is just a quick look at APT10, the well-known and dangerous Chinese state-sponsored hacking group that’s been active for over a decade. This sophisticated and well-funded group has been responsible for a number of high-profile cyber attacks and, as APT10 continues to evolve its tactics and techniques, it poses an ongoing threat to organizations around the world.  It should be a critical mission for organizations to be aware of the group and to take steps to protect themselves from APT10.

This article was originally published in Forbes, please follow me on LinkedIn.

The Art of Cyberwar: Understanding Your Enemy

The ancient book on war, “The Art of War” by Sun Tzu, holds many lessons that are surprisingly applicable to today’s cybersecurity operations. One of the most important lessons is captured in the following line:

“If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.”

Cyber adversaries are often referred to as “hackers,” but in reality they come in many forms and have varying motivations and techniques. Some groups are well-organized, while others are loosely structured. Some are government-affiliated, while others are purely criminal or terrorist organizations. 

As Sun Tzu advised, it is crucial to have a deep understanding of one’s enemies. In this series of articles, we will examine the major global hacking groups and discuss the best ways to protect against them.

Beset by Dangers: The Most Notorious Groups

Cyber threats are becoming increasingly common and sophisticated in today’s digital age, and hacker groups comprise a significant part of this threat landscape. They are well-funded entities that use their skills to infiltrate, steal, or ransom sensitive information from governments, businesses, and individuals.  

A complete list of these groups would be voluminous, but below I highlight some of the most dangerous hacker groups currently operating: 

  • APT10, also known as Stone Panda or Red Apollo, is a Chinese state-sponsored group that targets intellectual property and business information. The group has been active since at least 2009, and has been linked to several high-profile breaches such as those of the U.S. Navy and the Australian government. APT10 employs a variety of techniques, including phishing, malware, and supply chain attacks, and is believed to focus on technology and manufacturing companies as well as government agencies. 
  • Lazarus Group is a hacker group believed to be operating out of North Korea. The group has been linked to several high-profile cyber attacks, including the Sony Pictures hack in 2014 and the WannaCry ransomware attack in 2017. Lazarus Group uses sophisticated tactics, such as zero-day vulnerabilities and custom malware, to infiltrate its targets. The group has also been linked to several high-profile financial crimes, such as the theft of $81 million from the Bangladesh central bank in 2016. 
  • Turla is a Russian state-sponsored group known for stealing sensitive information from governments and businesses. The group has been active since at least 2007, and focuses on government and diplomatic organizations. Turla uses tactics like watering hole attacks, spear-phishing, and custom malware to infiltrate its targets. 
  • APT33, also referred to as Elfin or Holmium, is an Iranian-linked group that has been active since 2013. The group targets aerospace and energy companies, as well as government organizations, and employs tactics like spear-phishing and custom malware. APT33 is also known for using “living-off-the-land” tactics that leverage legitimate tools and software to evade detection. 
  • FIN7, also known as the Carbanak Group, is a financially motivated hacktivist group that has been active since 2013. FIN7 targets the retail and hospitality industries with point-of-sale malware and uses advanced social engineering tactics to infiltrate targets. The group is believed to have stolen millions of dollars from its victims. 
  • REvil, also known as Sodinokibi, is an infamous ransomware group that has been active since 2018. The group uses ransomware to encrypt victims’ data and demands large sums of money for the decryption key. REvil made headlines in 2020 and 2021 with large-scale attacks on companies and government organizations. 
  • Lapsus is a criminal organization that is involved in various illegal activities such as cybercrime, fraud, and hacking. The group is known for its advanced tactics, the technique of bribing key insider employees, and for using the communication platform Telegram, which have allowed them to carry out successful attacks on high-profile targets.

Be Aware and Prepare 

The threats posed by hacker groups are growing more severe and sophisticated. These groups are known to be highly skilled and well-funded, and to use advanced tactics. They can cause serious damage and pose a significant threat to organizations and individuals. It is important for organizations to be aware of the myriad risks and take appropriate measures to protect themselves. By staying informed and taking proactive and comprehensive steps to secure IT infrastructures, networks, data, applications, and endpoints, organizations can better defend against cyber threats. Additionally, organizations should be prepared to recover in a timely manner should an attack be successful. Organizations should also have a comprehensive program in place to remain vigilant in monitoring for suspicious internal and external activities, and be prepared to respond quickly in the event of a breach. 

Sun Tzu’s Timeless Advice  

By focusing on specific hacker groups in subsequent posts, we can begin to understand the motivations behind these operations, the methodologies each group uses, the specter of business impact to communities at large, and ways to defend against attacks through a comprehensive security approach. The key to success in defending against cyber threats is to be proactive and have an encompassing security program in place. By staying informed, taking appropriate measures to secure networks and data, and preparing for and responding to incidents, organizations can minimize their risk of becoming the victim of a cyber attack.  By following Sun Tzu’s timeless advice to “know your enemy,” organizations can better understand hacker groups – and thus better defend against them.

This article was originally published in Forbes, please follow me on LinkedIn.