A private U.S.-based security firm is linking an Iranian government-sponsored hacking group to cyber-attacks targeted at organizations across the world.
The security firm FireEye said Wednesday the Iranian hackers used malware to attack aerospace and petrochemical firms in the United States, Saudi Arabia and South Korea.
The hacking group, dubbed APT33 (advanced persistent threat) by the FireEye researchers, used phishing emails and fake domain names to gain access to computer systems of the targeted companies.
The report suggests the hackers target the companies in an effort to “enhance Iran’s domestic aviation capabilities or to support Iran’s military and strategic decision making vis-a-vis Saudi Arabia.”
“We believe the targeting of the Saudi organization may have been an attempt to gain insight into regional rivals, while the targeting of South Korean companies may be due to South Korea’s recent partnerships with Iran’s petrochemical industry as well as South Korea’s relationships with Saudi petrochemical companies,” the report reads.
The FireEye report says the hackers retained access to the companies’ computers for between four and six months at a time, during which the hackers were able to steal data and drop off malware that could potentially be used to destroy the infected computers.
It is difficult to accurately attribute cyber-attacks, but FireEye says it linked the hackers to Iran in part by tracking an online handle, “xman_1365_x,” that was accidentally left in the malware coding.
The report also notes references to the Farsi language in the malware code and that the hackers’ workdays appear to correspond with the Iranian time zone, and the Saturday to Wednesday workweek used in the country.