APT33 Iranian group created its own VPN-network, but this only deteriorated privacy
Trend Micro analysts have long been watching the Iranian hack group APT33, which has been active since at least 2013 and, in particular, and is behind the launch of the famous Shamoon malware. Now it became known that APT33 has created its own VPN network.
In 2019, the victims of APT33 were a private American company providing national security services, universities and colleges in the United States, as well as a number of companies and organizations in the Middle East and Asia.For a long time studying the activity of APT33, researchers were able to figure out how the group manages its infrastructure, which is a multilayer and isolated system designed to hide the activity of APT33 operators from the attention of specialists. Analysts write that there are four levels of protection between APT33 operators and their goals:
- VPN level – a specially built network of VPN nodes necessary to hide the real IP address and location of the operator;
- Bot Controller level – an intermediate level of servers;
- backend level of the management server – the actual internal servers through which the group manages its botnets;
- proxy level — a set of cloud proxies through which management servers hide with infected hosts.
However, as it turned out, APT33 never uses commercial VPN servers to hide its location, as other groups do. Instead, hackers created their own VPN network, because it’s not difficult to rent a couple of servers and use open source software (for example, OpenVPN). However, issue with VPN ultimately facilitated the tracking of groupings by researchers.
Read also: US authorities warn of the dangers of public charging stations using USB
The fact is that as a result, Trend Micro specialists found it enough to observe only a few IP addresses. If APT33 used commercial VPNs, their activity would easily be lost among other traffic.
“APT33 probably only uses its VPN exit nodes. We’ve been tracking some of the private output nodes of the VPN group for more than a year, and have listed the IP addresses we know in the table below”, – write Trend Micro experts.
Interestingly, the group uses proprietary VPNs not only to connect to botnet control panels, but also for other tasks, including reconnaissance of networks related to the oil industry. Therefore, researchers have seen how some of the above IP addresses were used for reconnaissance in the networks of an unnamed oil company, military hospitals in the Middle East, as well as an unnamed oil company in the United States.
Given APT33’s interest in the oil industry (Trend Micro warns that hackers have also visited sites used to hire people in the oil and gas sector), companies are advised to check the security logs and look for the IP addresses listed in them, that is, make sure that APT33 is not interested in them.