Wired writes about Iranian hackers carrying out some of the most disruptive acts of digital sabotage of the last decade, wiping entire computer networks in waves of cyberattacks across the Middle East and occasionally even the US. Now one of Iran’s most active hacker groups appears to have shifted focus. Rather than just standard IT networks, they’re targeting the physical control systems used in electric utilities, manufacturing, and oil refineries.
At the CyberwarCon conference in Arlington, Virginia Thursday, Microsoft security researcher Ned Moran plans to present new findings from the company’s threat intelligence group that show a shift in the activity of the Iranian hacker group APT33, also known by the names Holmium, Refined Kitten, or Elfin. Microsoft has watched the group carry out so-called “password spraying” attacks over the last year that try just a few common passwords across user accounts at tens of thousands of organizations. That’s generally considered a crude and indiscriminate form of hacking.
But over the last two months, Microsoft says APT33 has significantly narrowed its password-spraying to around two thousand organizations per month, while increasing the number of accounts targeted at each of those organizations almost tenfold on average.
The hackers’ motivation—and which industrial control systems they’ve actually breached—remains unclear. Moran speculates that the group is seeking to gain a foothold to carry out cyberattacks with physically disruptive effects. “They’re going after these producers and manufacturers of control systems, but I don’t think they’re the end targets,” says Moran. “They‘re trying to find the downstream customer, to find out how they work and who uses them. They’re looking to inflict some pain on someone’s critical infrastructure that makes use of these control systems.”
Moran declined to name any of the specific industrial control system, or ICS, companies or products targeted by the APT33 hackers. But he warns that the group’s targeting of those control systems suggests that Iran may be seeking to move beyond merely wiping computers in its cyberattacks. It may hope to influence physical infrastructure.