One of the most sophisticated Iranian-linked advanced threat groups (APT) has built up and has been managing its own private network of VPN nodes, which it has been using to communicate with command and control servers and perform reconnaissance on targeted networks, the latest report from Trend Micro showed.

The group, tracked by security researchers as APT33 and Elfin Team, has been active since at least 2013 and has been known to target organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors. The group is also believed to be the developer of the infamous disk-wiping malware known as Shamoon (DistTrack) that destroyed over 35,000 workstations at Saudi Arabia's Saudi Aramco in 2012.

According to Trend Micro, in 2019 confirmed infections include a private American company that offers services related to national security, victims connecting from a university and a college in the U.S., a victim most likely related to the U.S. military, and several victims in the Middle East and Asia.

While investigating these attacks, the researchers have been able to gain insight into how APT33 manages its hacking infrastructure. They have found that the hackers have been using several C&C domains for small botnets comprised of about a dozen bots each applying efforts to make the tracking more difficult.

“The C&C domains are usually hosted on cloud hosted proxies. These proxies relay URL requests from the infected bots to backends at shared webservers that may host thousands of legitimate domains. The backends report bot data back to a data aggregator and bot control server that is on a dedicated IP address. The APT33 actors connect to these aggregators via a private VPN network with exit nodes that are changed frequently. The APT33 actors then issue commands to the bots and collect data from the bots using these VPN connections,” the researchers wrote.

Instead of using commercial VPN services as it often the case with other threat groups, APT33 set up their own private VPN network. Such a network can be easily built by renting a couple of servers from datacenters around the world and using open source software like OpenVPN.

“Though the connections from private VPN networks still come from seemingly unrelated IP addresses around the world, this kind of traffic is actually easier to track. Once we know that an exit node is mainly being used by a particular actor, we can have a high degree of confidence about the attribution of the connections that are made from the IP addresses of the exit node,” Trend Micro team explained.

It appears that APT33 has been using VPN exit nodes exclusively, which allowed the researchers to observe some of the group’s private VPN exit nodes for more than a year (the list of associated IP-addresses is available here).

These private VPN exit nodes were also used for reconnaissance of networks that are relevant to the supply chain of the oil industry.

“More concretely, we have witnessed some of the IP addresses doing reconnaissance on the network of an oil exploration company and military hospitals in the Middle East, as well as an oil company in the U.S,” the researchers said.

Interestingly, APT33 used its private VPN network to access websites of penetration testing companies, webmail, websites on vulnerabilities, and websites related to cryptocurrencies, as well as to read hacker blogs and forums. The group also expressed an interest in websites that specialize in the recruitment of employees in the oil and gas industry, Trend Micro said.