Elfin espionage group is focused on Saudi, U.S. organizations, Symantec says

The Elfin group, a significant component of Tehran's hacking arsenal, uses a trojan to wipe victim hard drives.
The Thanos ransomware used in the attacks has gained traction on underground forums (Getty Images).

In the last three years, a suspected Iranian cyber-espionage group has targeted organizations in Saudi Arabia and the United States in attacks spanning several sectors, researchers from cybersecurity company Symantec said Wednesday.

The researchers described a hacking group that “has compromised a wide range of targets, including governments along with organizations in the research, chemical, engineering, manufacturing, consulting, finance, telecoms, and several other sectors.”

Some three-quarters of the 50 organizations hit by the group that Symantec calls Elfin and that others label APT33 are based in Saudi Arabia and the U.S., the researchers said. FireEye, another cybersecurity company, previously has concluded that APT33 “works at the behest of the Iranian government,” and that it has taken a particularly close interest in the aviation sector.

The tally of American targets includes “a number of Fortune 500 companies,” according to Symantec.


“Elfin’s goal appears to be sabotage,” Jon DiMaggio, senior threat intelligence analyst at Symantec, told CyberScoop. Their malware, a trojan called Stonedrill, “is designed to wipe the hard drives of the systems they infect, rendering them useless to the victim.”

Saudi Arabia and the U.S. are two of Iran’s top geopolitical rivals. American officials routinely mention Iran in the same breath as China, North Korea, and Russia as the main nation-state threats to the U.S. in cyberspace.

Like other nation-state-linked groups, Elfin aims to exploit known vulnerabilities that system owners fail to patch. When the group targeted an organization in the Saudi chemical sector last month, it tried to exploit a flaw in the WinRAR file-archiving software that is becoming increasingly popular with suspected government-backed hackers.

Symantec blocked the malware and the intrusion attempt was unsuccessful, according to DiMaggio.

Nalani Fraser, FireEye’s senior manager of threat intelligence, told CyberScoop that her company also saw the hacking group send multiple spearphishing emails with malicious WinRAR attachments to people in the energy sector last month. The emails purported to come from senior executives Middle East oil and gas organizations, she said.


In a region where there is no shortage of government-sponsored cyber activity, Elfin stands out, according to Symantec.

The group “is one of the most active groups currently operating in the Middle East” and has shown a “willingness to continually revise its tactics and find whatever tools it takes to compromise its next set of victims,” the company said.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts