Iran-Linked Hackers Said to Be Attacking U.S. Companies

Cybersecurity company FireEye has identified what it says is a hacking group sponsored by the Iranian government that has targeted organizations in the U.S., the Middle East and Asia.

The firm that gathers cyber intelligence and responds to incidents through its Mandiant subsidiary, said in a report out Wednesday that the Iranian hacking group has targeted companies involved in the petrochemical industry and in military and commercial aviation — perhaps seeking an edge in its regional rivalry with Saudi Arabia. FireEye dubbed the group APT33 — APT stands for “advanced persistent threat” — and says it has hacked targets through spearphishing emails.

“These campaigns demonstrate the depth of Iran’s cyber capabilities,” said John Hultquist, director of intelligence analysis for FireEye. “Actors like APT33, now narrowly focused on the Middle East, are the tools Iran will reach for if they choose to carry out attacks in the future.”

Attributing cyber activity is a matter of detective work. FireEye traced the hackers to Iran in part through a handle, “xman_1365_x,” that the firm linked to an Iranian government software engineer. The report also notes that the hackers’ workday appeared to correspond to Iran’s time zone, and Iran’s Saturday to Wednesday work week.

“APT33’s focus on aviation may indicate the group’s desire to gain insight into regional military aviation capabilities to enhance Iran’s aviation capabilities or to support Iran’s military and strategic decision making,” the report says.

“Their targeting of multiple holding companies and organizations in the energy sectors align with Iranian national priorities for growth, especially as it relates to increasing petrochemical production. We expect APT33 activity will continue to cover a broad scope of targeted entities, and may spread into other regions and sectors as Iranian interests dictate.”