← threatfilter.dev / all groups / APT33
APT33
Also known as: HOLMIUM · Elfin · Peach Sandstorm
Overview
APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.
Targets
Private sector
Regions
Saudi Arabia · South Korea · United States
Capabilities
- Destructive / data-wiping operations — software: StoneDrill
- Exploitation of public-facing / client applications — ATT&CK T1203
- Custom malware/implant development — ATT&CK: 7 attributed custom malware families
- Documented tooling: STONEDRILL wiper, variants of TURNEDUP malware — MISP galaxy (meta.capabilities)
TTPs — 31 techniques across 10 tactics
Resource Development
-
T1588.002Tool
Initial Access
-
T1566.001Spearphishing Attachment -
T1566.002Spearphishing Link
Execution
-
T1053.005Scheduled Task -
T1059.001PowerShell -
T1059.005Visual Basic -
T1203Exploitation for Client Execution -
T1204.001Malicious Link -
T1204.002Malicious File
Persistence
-
T1547.001Registry Run Keys / Startup Folder
Privilege Escalation
Stealth
-
T1027.013Encrypted/Encoded File -
T1078Valid Accounts -
T1078.004Cloud Accounts
Credential Access
-
T1003.001LSASS Memory -
T1003.004LSA Secrets -
T1003.005Cached Domain Credentials -
T1040Network Sniffing -
T1110.003Password Spraying -
T1552.001Credentials In Files -
T1552.006Group Policy Preferences -
T1555Credentials from Password Stores -
T1555.003Credentials from Web Browsers
Collection
-
T1560.001Archive via Utility
Command and Control
-
T1071.001Web Protocols -
T1105Ingress Tool Transfer -
T1132.001Standard Encoding -
T1571Non-Standard Port -
T1573.001Symmetric Cryptography
Exfiltration
Tools & malware (16)
PowerSploit · AutoIt backdoor · PoshC2 · Ruler · Mimikatz · NanoCore · DEADWOOD · StoneDrill · POWERTON · LaZagne · TURNEDUP · NETWIRE · Net · Pupy · Empire · ftp
Reporting (3)
- How Microsoft names threat actors — Microsoft
- Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint — Microsoft Threat Protection Intelligence Team
- Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S — Security Response attack Investigation Team