Attack vectors: For initial compromise Mandiant Intelligence has observed APT39 leverage spearphishing with malicious attachments and/or hyperlinks typically resulting in a POWBAT infection. In some cases previously compromised email accounts have also been leveraged, likely to abuse inherent trusts and increase the chances of a successful attack. APT39 frequently registers and leverages domains that masquerade as legitimate web services and organizations that are relevant to the intended target. Furthermore, this group has routinely identified and exploited vulnerable web servers of targeted organizations to install web shells, such as ANTAK and ASPXSPY, and used stolen legitimate credentials to compromise externally facing Outlook Web Access (OWA) resources. We have not observed APT39 exploit vulnerabilities.

Target sectors: This threat group has conducted broad targeting across a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East

Iran Hacking Group Used Open Source multi-platform PupyRAT to Attack Energy Sector Organization

While most Iranian groups have typically targeted a niche set of domestic and foreign targets, in particular government agencies and dissidents, OilRig is far more focused on private industry outside of Iran. "What's interesting about OilRig is how much it's just foreign focused and is interested in the private sector as much as it's interested in the diplomatic establishment," said Collin Anderson, a Washington D.C.-based researcher who is drawing up a report for Carnegie Mellon on Iran's overall cyber power. And though it's unclear just what data OilRig has siphoned off target systems, the unit is representative of a shift in Iran's cyber strategy, from destructive attacks, such as the infamous hit on the Las Vegas Sands Casino in 2014, to stealthy monitoring of targets.

APT33, which has also been known as Elfin, NewsBeef, and Holmium, has been attributed to being Iranian based and active since at least 2013. This group has been very active in the past 3 years with attacks occurring every few months. Their targets include a wide variety of industries such as government, research, chemical, engineering, manufacturing, consulting, finance, telecoms, and several other sectors. The majority of the attacks focus on organizations located in Saudi Arabia. Many U.S.-based organizations have also been targeted, including a large number of Fortune 500 companies.

Starting in 2016 and continuing into 2017, APT33 targeted various aerospace and aviation-related organizations. During the same time period, the group also attempted to compromise organizations within the petrochemical sector. The primary vector for attacks was using spear phishing with a malicious file attachment. These emails usually were related to job vacancy announcements to entice the potential victim to open them.

The likely reasoning behind the aerospace targeting is to enhance Iran's aviation capabilities. For the other targets, Iran may want to expand its own petrochemical production and improve its competitiveness within the region. Another campaign that occurred during this time targeted Saudi Arabian government organizations, where the adversary used two different attack vectors, both spear phishing and watering hole attacks. While the spear-phishing component used the traditional malicious Microsoft Office documents with macros enabled, the watering hole component required more effort. The threat group researched and compromised servers that hosted content relevant to the potential targets. 2ff7e9595c