Threats Feed|APT33|Last Updated 05/05/2025|AuthorCertfa Radar|Publish Date14/09/2023

Iranian APT33 Intensifies Attacks on Multiple Sectors Worldwide

  • Actor Motivations: Espionage,Exfiltration,Sabotage
  • Attack Vectors: Compromised Credentials,Vulnerability Exploitation,Backdoor,Dropper,Malicious Macro,RAT,Wiper,Spear Phishing
  • Attack Complexity: High
  • Threat Risk: High Impact/High Probability

Threat Overview

APT33, an Iranian threat group active since 2013, targets multiple countries and sectors, primarily focusing on Saudi Arabia and the United States. The group employs spear phishing with malicious attachments and links, watering hole attacks, and uses both custom and commodity malware, including the Shamoon data-wiper. They exploit known vulnerabilities and leverage stolen credentials to gain access. Key targets include government, aerospace, petrochemical, engineering, finance, and telecom industries. APT33’s infrastructure includes domain masquerading and compromised servers. Recent activities include targeting cloud infrastructure and using spoofed domains to distribute malware.

Detected Targets

TypeDescriptionConfidence
SectorConsulting
Medium
SectorDefense
Verified
SectorFinancial
Verified
SectorGovernment Agencies and Services
Verified
SectorHigh-Tech
Verified
SectorInformation Technology
Verified
SectorLogistics
Verified
SectorManufacturing
Verified
SectorRetail
Verified
SectorAerospace
Verified
SectorEducation
Verified
SectorHealthcare
Verified
SectorResearchers
Verified
SectorTelecommunication
Verified
RegionBelgium
Verified
RegionChina
Verified
RegionCzech Republic
Verified
RegionJordan
Verified
RegionMorocco
Verified
RegionSaudi Arabia
Verified
RegionSouth Korea
Verified
RegionThailand
Verified
RegionUnited Arab Emirates
Verified
RegionUnited Kingdom
Verified
RegionUnited States
Verified

FAQs

Understanding APT33’s Threat Activities

APT33, an Iran-linked cyber threat group, has been carrying out sophisticated cyberattacks since at least 2013, targeting a wide range of industries in the Middle East, the U.S., and beyond.

The group, known by several names including Elfin and Holmium, is attributed to Iran and is believed to operate with state sponsorship.

APT33’s objectives appear to include espionage, competitive advantage in sectors like aviation and petrochemicals, and potentially disruptive operations such as deploying wiper malware.

While their main focus is on Saudi Arabia and the United States, APT33 has also targeted organizations in Europe and Asia, indicating a broad geographic reach.

Victims span across aerospace, chemical, government, financial, engineering, and telecom sectors, often including high-profile firms and critical infrastructure.

APT33 primarily uses spear phishing emails with infected attachments, stolen credentials, and software vulnerabilities to infiltrate networks and deploy malware.

The likely motive is to support Iran’s strategic interests in defense, economic development, and regional influence by stealing data or disrupting rivals.

Defensive actions include improving email defenses, enforcing strong password and authentication policies, applying security patches promptly, and monitoring for known malware behaviors.

These are highly targeted attacks aimed at specific organizations rather than the general public, but the tactics used can have broader cybersecurity implications.