LLMpediaThe first transparent, open encyclopedia generated by LLMs

APT33

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: IBM Security Hop 5
Expansion Funnel Raw 43 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted43
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
APT33
NameAPT33
AliasesRefined Kitten, Elfin, Magnallium
CountryIran (attributed)
Active2013–present
MotivesEspionage, sabotage
Typical targetsAviation, energy, petrochemical, government, academia

APT33 APT33 is a persistent cyber espionage and sabotage actor attributed to the Iranian state by multiple National Cybersecurity Center-style entities and private security firms. Operating since the early 2010s, the group has conducted operations against Saudi Arabia, United States, South Korea, and other states, targeting Boeing, Rolls-Royce, and regional energy infrastructure entities in campaigns that blend spearphishing, web compromise, and bespoke malware. Analyses by organizations such as Mandiant, CrowdStrike, Microsoft Threat Intelligence Center, and NCC Group have mapped its toolkit, linking infrastructure and tooling to other Iranian cyber activities attributed to entities like Islamic Revolutionary Guard Corps-connected programs.

Background and origins

Open-source reporting and government advisories attribute APT33 to actors operating with ties to Iranian institutions, including units associated with the Islamic Revolutionary Guard Corps and state cybersecurity apparatuses. Investigations by United States Department of Justice-style bodies and private firms connected the group's campaigns to Iranian strategic objectives during periods of escalating regional tensions such as the aftermath of the Joint Comprehensive Plan of Action negotiations and in the lead-up to diplomatic crises with Saudi Arabia and United Arab Emirates. Attribution assessments reference overlaps in infrastructure with other Iranian campaigns attributed to actors linked to entities like MuddyWater-adjacent operations and state-funded cyber initiatives traced to Tehran-based research hubs and academic institutions such as the Sharif University of Technology.

Tactics, techniques, and procedures

APT33 has employed spearphishing using malicious attachments, credential harvesting, and web shells on compromised servers of targets such as aviation suppliers and petrochemical firms. The group developed and used custom malware families including backdoors and wipers; observed tools include programs labeled in reports as "Shapeshifter"-style tools and destructive payloads similar in effect to earlier Iranian-linked tools implicated in incidents with Shamoon-like characteristics. Operational tradecraft includes use of compromised email accounts, counterfeit webmail pages, and lateral movement leveraging common protocols observed in intrusions affecting organizations like Saudi Aramco-supply chains and King Fahd University-adjacent networks. Analysts have documented command-and-control patterns involving bulletproof hosting, use of compromised consumer services, and domain spoofing that impersonates contractors such as Rolls-Royce and Boeing suppliers.

Notable campaigns and incidents

Public reporting has tied the group to targeted intrusions against Saudi Arabian aviation and energy sectors, with victimology extending to South Korea's industrial firms and United States-based research and field service providers. High-profile disclosures described spearphishing campaigns that leveraged resumes, job offers, and industry-specific lures aimed at employees of airframe manufacturers and petrochemical firms. Some incidents exhibited destructive phases that mirrored sabotage operations previously seen in incidents affecting Middle East critical infrastructure, and overlap in timing and targeting with campaigns attributed to other Iranian cyber actors during regional crises such as the Yemeni conflict and after sanctions-related economic pressure on Iranian industries.

Attributions and affiliations

Multiple cybersecurity vendors and national cyber authorities have attributed operations to Iranian state-aligned actors based on overlaps in infrastructure, malware code, operational behavior, and targeting consistent with Iranian strategic interests. Reports cite similarities between APT33 tooling and activity clusters observed in operations attributed to groups linked to Tehran-based institutions, including units assessed to have connections with the Islamic Revolutionary Guard Corps and Iranian Ministry-linked technical organizations. Correlations with other actors such as Chafer and OilRig appear in some analyses, while distinctions in tooling and tradecraft separate APT33 from groups like MuddyWater and APT34 in vendor taxonomies.

Targeting and motives

The group's victim set emphasizes the aviation industry, energy sector, and academic and governmental entities in the Middle East and globally, aligning with objectives to obtain aviation- and energy-related intellectual property, operational data, and potential sabotage capabilities. Targeting of suppliers and research organizations connected to major entities such as Boeing, Airbus, Saudi Aramco, and regional universities reflects an intent to access technical designs, credentials, and operational plans. Observers assessing motive point to strategic intelligence collection, competitive advantage for state industries, and potential disruptive options during geopolitical crises involving Saudi Arabia, United Arab Emirates, and Israel.

Detection, mitigation, and response

Detection recommendations in public advisories emphasize network monitoring for command-and-control indicators, multi-factor authentication for accounts, patching of internet-facing web applications, and endpoint detection for known APT33 malware signatures cataloged by vendors including Microsoft, Symantec, Kaspersky Lab, and ESET. Incident response guidance advocates forensic imaging, credential resets, notification to national CERTs such as US-CERT and CERT-UA analogs, and information sharing with industry groups like FIRST and sector-specific ISACs including Financial Services Information Sharing and Analysis Center for coordinated mitigation. Law enforcement actions and sanctions by entities comparable to the United States Department of the Treasury have been employed in parallel with technical countermeasures to disrupt infrastructure linked to the group's operations.

Category:Cyber threat groups