Iran (APT33): Trend Micro released an article stating that they were able to find and investigate a personal VPN network that is being used by Iran’s most prominent threat group, APT33. APT33 has been seen many times in the past targeting the oil and aviation industries. Most recently in 2019, the group was seen using spear-phishing campaigns to take advantage of an Outlook vulnerability. The group switched targets in 2019, focusing on American universities and colleges, entities close to the U.S. military, and several victims in the Middle East and Asia. The VPN network that the group developed used many different layers of security to keep the group from easily being tracked down. One thing the group may have overlooked is that because they rented server space for their network, as opposed to using a standard VPN, researchers only had to track a certain number of IP addresses. If the threat group would have used a standard VPN service, their IP address would have rotated between attacks, making them harder to identify as the attacker. Now that researchers were able to track down the IP addresses that were used in the VPN network, they could link attacks to the group and track who they were attacking or doing reconnaissance on.
Researchers were able to identify that APT33 has a big interest in websites that are used to recruit employees in the oil and gas industry. Companies in this industry should be cautious and do a review of their network to ensure they have not been infected by any of the known IP addresses. The group was also seen visiting penetration testing company websites, cryptocurrency hacking websites, and websites on vulnerabilities. In instances like this with new IOC’s available (Indicators of Compromise), companies should begin looking at their networks to make sure that none of the threat group’s IP addresses ever accessed their network. IOC’s and the full research from Trend Micro can be found here: https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/