Background
APT33, widely tracked as Elfin or Peach Sandstorm, is an Iranian cyber espionage group attributed to Iran's Islamic Revolutionary Guard Corps (IRGC). Active since at least 2013, APT33 is considered Iran's most capable actor targeting the aerospace, aviation, and energy sectors โ particularly oil and gas infrastructure in Saudi Arabia and the broader Gulf region. The group's targeting is closely aligned with Iran's strategic rivalry with Saudi Arabia and the broader Gulf Cooperation Council, as well as efforts to develop indigenous aerospace and defense capabilities through intellectual property theft.
APT33's operational sophistication includes the development of custom destructive malware alongside traditional espionage tooling, suggesting tasking that goes beyond pure intelligence collection to include pre-positioning for disruptive strikes against critical infrastructure. The group's connection to the 2017 Shamoon 2.0 and StoneDrill disk-wiping campaigns targeting Saudi Aramco and petrochemical facilities demonstrated its willingness to deploy destructive capabilities when ordered.
The group employs two distinct operational tracks: targeted espionage against defense and aerospace firms to steal technical specifications and research, and aggressive destructive operations against Saudi Arabia's energy sector aligned with periods of heightened Iran-Saudi geopolitical tension. Since 2023, Microsoft has documented APT33 (Peach Sandstorm) conducting extensive password spray campaigns against thousands of organizations globally, representing a shift toward opportunistic initial access alongside targeted operations.
Notable Campaigns
Saudi Aerospace and Defense Targeting (2016-2018) โ APT33 conducted a sustained campaign against Saudi aerospace and aviation organizations, including Saudi Arabian Airlines (Saudia) and Alsalam Aircraft Company. Simultaneously, the group targeted U.S. defense contractors with Saudi business relationships. The campaign resulted in significant theft of aerospace design data, maintenance procedures, and contractual information.
Shamoon 2 and StoneDrill (2016-2017) โ APT33 operators were assessed to have supported or coordinated with the Shamoon 2 disk-wiping attacks against Saudi Aramco affiliates and other Saudi Arabian organizations. The StoneDrill wiper, discovered in European petrochemical targets alongside Shamoon, shared code similarities with APT33 tooling and was deployed against organizations in Europe with business ties to the Gulf.
Refined Kitten Energy Sector Campaign (2018-2019) โ A sustained campaign targeting energy sector organizations in Saudi Arabia, South Korea, and the United States. The group used spearphishing emails with aviation recruitment lures, exploited publicly known vulnerabilities in internet-facing systems, and deployed TURNEDUP and AutoIt-based backdoors for persistent access.
Password Spray Campaign (2023-2024) โ Microsoft disclosed that Peach Sandstorm conducted a global password spray campaign targeting thousands of organizations including those in defense, satellite, pharmaceutical, and government sectors. Successful initial access was leveraged to move laterally using Azure native tools, deploy AzureAD reconnaissance scripts, and in some cases deploy a novel post-compromise framework called FalseFont.
Tactics, Techniques & Procedures
Initial Access โ APT33 uses highly tailored spearphishing emails with aviation and aerospace recruitment lures, including fake job postings from legitimate-looking talent recruitment firms (T1566.001). The group operates watering hole sites targeting aerospace and defense professionals. More recently, the group has conducted large-scale password spray campaigns (T1110.003) against internet-facing infrastructure including Office 365, VPN portals, and OWA.
Execution and Persistence โ APT33 deploys custom backdoors including SHAPESHIFT and TURNEDUP alongside commodity tools like NETWIRE and NANOCORE. Persistence mechanisms include scheduled tasks, registry run keys, and startup folder modifications. The group uses AutoIt-compiled backdoors to hinder static analysis.
Pre-Positioning for Destructive Operations โ A distinctive APT33 behavior is the pre-positioning of destructive wiper malware within victim networks for potential future activation. The deployment of DropShot (a wiper dropper) and connections to Shamoon-style disk-wiper malware indicate the group may maintain standing destructive capabilities within compromised energy sector networks awaiting activation orders.
Lateral Movement and Collection โ The group uses credential dumping tools and harvested credentials for lateral movement across victim networks. Collection focuses on technical documentation, engineering files, employee directories, and email archives. Data is staged and compressed before exfiltration over encrypted C2 channels.
Tools & Malware
- SHAPESHIFT โ A disk-wiping malware capable of wiping files across attached drives, used in destructive operations against Saudi Arabian targets. Shares characteristics with the Shamoon wiper family.
- TURNEDUP โ A custom APT33 backdoor providing remote command execution, file upload/download, and shell access. Uses HTTP for C2 communication with encoded request parameters.
- DropShot โ A dropper and wiper tool capable of wiping files while installing backdoors, providing both initial access and destructive capabilities in a single payload.
- StoneDrill โ A sophisticated wiper malware with anti-detection features including the use of a custom memory-resident PE injector, targeting European and Middle Eastern organizations.
- ALFASHELL โ A Python-based reverse shell tool used for lightweight initial access and lateral movement.
- AutoIt Backdoor โ Custom backdoor compiled using AutoIt, a scripting language for Windows GUI automation, making static analysis more difficult.
- NANOCORE / NETWIRE โ Commodity remote access tools used alongside custom tooling, providing plausible deniability through the use of widely available tools.
- Cobalt Strike โ Commercial post-exploitation framework observed in post-2020 APT33 operations for C2 and lateral movement.
Indicators & Detection
Email and Social Engineering โ Monitor for aviation and aerospace job recruitment emails from unverified external senders, particularly those directing recipients to external portals for application submission. Implement DMARC, DKIM, and SPF enforcement. Train aerospace and energy sector employees on the specific recruitment lure tactics used by APT33.
Password Spray Detection โ Implement account lockout and alerting for repeated failed authentication attempts across multiple accounts from single source IPs. Monitor for authentication failures followed by immediate success, indicative of successful password spray. Alert on authentication events from Tor exit nodes, known VPN services, and Iranian IP ranges. Enable multi-factor authentication universally for all internet-facing authentication portals.
Network Detection โ Monitor HTTPS traffic for communication patterns associated with TURNEDUP C2, including regular beacon intervals and encoded parameters in GET requests. Detect SHAPESHIFT and StoneDrill deployment by monitoring for processes that enumerate attached volumes and open files with write access across multiple directories simultaneously.
Critical Infrastructure Protection โ Energy sector organizations, particularly those with Saudi Arabian or Gulf region business relationships, should treat APT33 as an active pre-positioning threat. Assume that wiper malware may be dormant on networks. Implement network segmentation between IT and OT environments, deploy deception technology, and conduct tabletop exercises for wiper malware activation scenarios.