Elfin Team

Advanced Persistent Threat 33 (APT33) is a hacker group identified by FireEye as being supported by the government of Iran. The group has also been called Elfin Team, Refined Kitten (by Crowdstrike), Magnallium (by Dragos), Peach Sandstorm, and Holmium (by Microsoft).

History
FireEye believes that the group was formed no later than 2013.

Targets
APT33 has reportedly targeted aerospace, defense and petrochemical industry targets in the United States, South Korea, and Saudi Arabia.

Modus operandi
APT33 reportedly uses a dropper program designated DropShot, which can deploy a wiper called ShapeShift, or install a backdoor called TurnedUp. The group is reported to use the ALFASHELL tool to send spear-phishing emails loaded with malicious HTML Application files to its targets.

APT33 registered domains impersonating many commercial entities, including Boeing, Alsalam Aircraft Company, Northrop Grumman and Vinnell.

Identification
FireEye and Kaspersky Lab noted similarities between the ShapeShift and Shamoon, another virus linked to Iran. APT33 also used Farsi in ShapeShift and DropShot, and was most active during Iran Standard Time business hours, remaining inactive on the Iranian weekend.

One hacker known by the pseudonym of xman_1365_x was linked to both the TurnedUp tool code and the Iranian Nasr Institute, which has been connected to the Iranian Cyber Army. xman_1365_x has accounts on Iranian hacker forums, including Shabgard and Ashiyane.