Show vulnerabilities with patch / with exploit
14 November 2019

APT33 hackers set up their own VPN network to thwart tracking


APT33 hackers set up their own VPN network to thwart tracking

One of the most sophisticated Iranian-linked advanced threat groups (APT) has built up and has been managing its own private network of VPN nodes, which it has been using to communicate with command and control servers and perform reconnaissance on targeted networks, the latest report from Trend Micro showed.

The group, tracked by security researchers as APT33 and Elfin Team, has been active since at least 2013 and has been known to target organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors. The group is also believed to be the developer of the infamous disk-wiping malware known as Shamoon (DistTrack) that destroyed over 35,000 workstations at Saudi Arabia's Saudi Aramco in 2012.

According to Trend Micro, in 2019 confirmed infections include a private American company that offers services related to national security, victims connecting from a university and a college in the U.S., a victim most likely related to the U.S. military, and several victims in the Middle East and Asia.

While investigating these attacks, the researchers have been able to gain insight into how APT33 manages its hacking infrastructure. They have found that the hackers have been using several C&C domains for small botnets comprised of about a dozen bots each applying efforts to make the tracking more difficult.

“The C&C domains are usually hosted on cloud hosted proxies. These proxies relay URL requests from the infected bots to backends at shared webservers that may host thousands of legitimate domains. The backends report bot data back to a data aggregator and bot control server that is on a dedicated IP address. The APT33 actors connect to these aggregators via a private VPN network with exit nodes that are changed frequently. The APT33 actors then issue commands to the bots and collect data from the bots using these VPN connections,” the researchers wrote.

Instead of using commercial VPN services as it often the case with other threat groups, APT33 set up their own private VPN network. Such a network can be easily built by renting a couple of servers from datacenters around the world and using open source software like OpenVPN.

“Though the connections from private VPN networks still come from seemingly unrelated IP addresses around the world, this kind of traffic is actually easier to track. Once we know that an exit node is mainly being used by a particular actor, we can have a high degree of confidence about the attribution of the connections that are made from the IP addresses of the exit node,” Trend Micro team explained.

It appears that APT33 has been using VPN exit nodes exclusively, which allowed the researchers to observe some of the group’s private VPN exit nodes for more than a year (the list of associated IP-addresses is available here).

These private VPN exit nodes were also used for reconnaissance of networks that are relevant to the supply chain of the oil industry.

“More concretely, we have witnessed some of the IP addresses doing reconnaissance on the network of an oil exploration company and military hospitals in the Middle East, as well as an oil company in the U.S,” the researchers said.

Interestingly, APT33 used its private VPN network to access websites of penetration testing companies, webmail, websites on vulnerabilities, and websites related to cryptocurrencies, as well as to read hacker blogs and forums. The group also expressed an interest in websites that specialize in the recruitment of employees in the oil and gas industry, Trend Micro said.

Back to the list

Latest Posts

Vulnerability summary for the week: July 3, 2020

Vulnerability summary for the week: July 3, 2020

Weekly vulnerability digest.
3 July 2020
Sodinokibi ransomware gang hits electrical energy company Light S.A, demands a $14 million ransom

Sodinokibi ransomware gang hits electrical energy company Light S.A, demands a $14 million ransom

Light S.A. has confirmed the incident, but declined to reveal details about the cyber attack.
3 July 2020
European police dismantle EncroChat encrypted phone network

European police dismantle EncroChat encrypted phone network

Over the last few months the law enforcement agencies have been intercepting messages exchanged between criminals to plan serious crimes.
3 July 2020