Elfin espionage group is focused on Saudi, U.S. organizations, Symantec says
In the last three years, a suspected Iranian cyber-espionage group has targeted organizations in Saudi Arabia and the United States in attacks spanning several sectors, researchers from cybersecurity company Symantec said Wednesday.
The researchers described a hacking group that “has compromised a wide range of targets, including governments along with organizations in the research, chemical, engineering, manufacturing, consulting, finance, telecoms, and several other sectors.”
Some three-quarters of the 50 organizations hit by the group that Symantec calls Elfin and that others label APT33 are based in Saudi Arabia and the U.S., the researchers said. FireEye, another cybersecurity company, previously has concluded that APT33 “works at the behest of the Iranian government,” and that it has taken a particularly close interest in the aviation sector.
The tally of American targets includes “a number of Fortune 500 companies,” according to Symantec.
“Elfin’s goal appears to be sabotage,” Jon DiMaggio, senior threat intelligence analyst at Symantec, told CyberScoop. Their malware, a trojan called Stonedrill, “is designed to wipe the hard drives of the systems they infect, rendering them useless to the victim.”
Saudi Arabia and the U.S. are two of Iran’s top geopolitical rivals. American officials routinely mention Iran in the same breath as China, North Korea, and Russia as the main nation-state threats to the U.S. in cyberspace.
Like other nation-state-linked groups, Elfin aims to exploit known vulnerabilities that system owners fail to patch. When the group targeted an organization in the Saudi chemical sector last month, it tried to exploit a flaw in the WinRAR file-archiving software that is becoming increasingly popular with suspected government-backed hackers.
Symantec blocked the malware and the intrusion attempt was unsuccessful, according to DiMaggio.
Nalani Fraser, FireEye’s senior manager of threat intelligence, told CyberScoop that her company also saw the hacking group send multiple spearphishing emails with malicious WinRAR attachments to people in the energy sector last month. The emails purported to come from senior executives Middle East oil and gas organizations, she said.
In a region where there is no shortage of government-sponsored cyber activity, Elfin stands out, according to Symantec.
The group “is one of the most active groups currently operating in the Middle East” and has shown a “willingness to continually revise its tactics and find whatever tools it takes to compromise its next set of victims,” the company said.