The APT33 (Advanced Persistent Threat) dates back to 2013. Malware researchers believe that the hacking group originates from Iran and is likely to be state-sponsored. It appears that the APT33 hacking group's efforts are concentrated on furthering the interests of the Iranian government as they tend to target competing industries of foreign countries often in the area of aerospace, defense, and chemicals. Most of their campaigns concentrate on three particular regions – Saudi Arabia, the United States, and South Korea. It is not uncommon for governments to sponsor hacking groups and employ them for espionage and various other activities.
The Latest Attack Targeted Saudi Arabia
The APT33 puts quite a lot of effort on remaining anonymous as they often change their hacking tools as well as the infrastructure they use. In March 2019 the APT33 launched an attack against targets in Saudi Arabia using the Nanocore RAT and briefly after the attack took place they completely changed their infrastructure and stopped using the Nanocore RAT, and have instead been employing a new RAT called njRAT.
Another one of their infamous hacking tools is the DropShot dropper. They have also used StoneDrill, their self-made disk wiper that shares some properties with the Shamoon 2 wiper. Some experts speculate that the APT33 hacking group has over 1,200 domains and hundreds of servers which comes to show us how vast their infrastructure is and how easily they can fool cybersecurity experts by just switching routes.
Apart from developing their own hacking tools, the APT33 often takes advantage of publicly available tools like the AdwindRAT, SpyNet, RevengeRAT, DarkComet, and many others. It is likely that the APT33 will continue its activities in the future and will likely continue expanding their infrastructure as well as their arsenal.