News

APT33 Iranian group created its own VPN-network, but this only deteriorated privacy

Trend Micro analysts have long been watching the Iranian hack group APT33, which has been active since at least 2013 and, in particular, and is behind the launch of the famous Shamoon malware. Now it became known that APT33 has created its own VPN network.

In 2019, the victims of APT33 were a private American company providing national security services, universities and colleges in the United States, as well as a number of companies and organizations in the Middle East and Asia.

For a long time studying the activity of APT33, researchers were able to figure out how the group manages its infrastructure, which is a multilayer and isolated system designed to hide the activity of APT33 operators from the attention of specialists. Analysts write that there are four levels of protection between APT33 operators and their goals:

  1. VPN level – a specially built network of VPN nodes necessary to hide the real IP address and location of the operator;
  2. Bot Controller level – an intermediate level of servers;
  3. backend level of the management server – the actual internal servers through which the group manages its botnets;
  4. proxy level — a set of cloud proxies through which management servers hide with infected hosts.

However, as it turned out, APT33 never uses commercial VPN servers to hide its location, as other groups do. Instead, hackers created their own VPN network, because it’s not difficult to rent a couple of servers and use open source software (for example, OpenVPN). However, issue with VPN ultimately facilitated the tracking of groupings by researchers.

Read also: US authorities warn of the dangers of public charging stations using USB

The fact is that as a result, Trend Micro specialists found it enough to observe only a few IP addresses. If APT33 used commercial VPNs, their activity would easily be lost among other traffic.

“APT33 probably only uses its VPN exit nodes. We’ve been tracking some of the private output nodes of the VPN group for more than a year, and have listed the IP addresses we know in the table below”, – write Trend Micro experts.

Interestingly, the group uses proprietary VPNs not only to connect to botnet control panels, but also for other tasks, including reconnaissance of networks related to the oil industry. Therefore, researchers have seen how some of the above IP addresses were used for reconnaissance in the networks of an unnamed oil company, military hospitals in the Middle East, as well as an unnamed oil company in the United States.

Given APT33’s interest in the oil industry (Trend Micro warns that hackers have also visited sites used to hire people in the oil and gas sector), companies are advised to check the security logs and look for the IP addresses listed in them, that is, make sure that APT33 is not interested in them.

In addition, a private VPN is used by hackers to access sites of various penetration testing companies, mail, vulnerability sites and sites dedicated to hacking cryptocurrencies.
Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

James Brown

Technology news writer and part-time security researcher. Author of how-to articles related to Windows computer issue solving.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Sending

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button