The Iranian hacking group APT33 has developed a new malware called FalseFont. They use it to target the Defense Industrial Base worldwide. Microsoft reports the surge in its activity in December, 2023.
APT33 targets defense firms with FalseFont malware
Researchers recently shed light on a new cyber-espionage campaign. The Iranian APT33 group has been deploying a newly developed backdoor malware, FalseFont, targeting the global Defense Industrial Base (DIB). The DIB sector, comprising over 100,000 companies and subcontractors, faces heightened risk. Integral to developing military weapons systems, these entities are prime targets for cyber espionage.
The FalseFont campaign continues a series of attacks that started in February 2023. Peach Sandstorm engaged in extensive password spray attacks against thousands of global organizations. FalseFont is a custom-built backdoor allowing remote access to compromised systems. This tool provides its operators extensive control, including file execution and transfer to command-and-control servers. Detected in early November 2023, FalseFont marks a significant evolution in Peach Sandstorm’s tradecraft.
More About APT33 Group
APT33, aka Peach Sandstorm, Refined Kitten, or Holmium, is an Iranian cyber espionage group active since at least 2013. It is considered a high-risk threat due to its sophisticated use of malware, complex social engineering, and targeted attacks against high-value organizations. The gang primarily targets organizations in the United States, Saudi Arabia, and South Korea. It appears to be particularly interested in the aerospace and energy sectors.
They use phishing attacks, exploit software vulnerabilities and stolen credentials to access networks, and develop custom malware. It is believed that APT33 is working on behalf of the Iranian government. They have been linked to various cyber espionage campaigns that aim to steal information on politics, military technologies, energy, and infrastructure.
Middle East Malware On The Rise
Against the current geopolitical situation, threat actors affiliated to Russia have taken much of the limelight. Although Russia and Iran are of the same ilk, the current situation brings some diversity. At first glance, Middle Eastern malware may seem local. But judging by the red flags, these TAs could also cause security problems for other countries, both in Europe and other continents.
These developments suggest that Middle Eastern countries are investing heavily in digital espionage capabilities, focusing on strategic targets worldwide, especially in defense and technology sectors, whatever that means. Overall, it can be concluded that even under sanctions, a concerned government can afford to maintain state-sponsored hackers.
Proactive Measures and Recommendations
Organizations operating in the aerospace and energy industries must prioritize the security of their critical infrastructure systems. Especially for entities located in countries hostile to Iran, it’s crucial to exercise added caution against phishing attacks and social engineering.
Experts who monitor and report these threats advise network defenders to reset credentials and revoke session cookies for accounts targeted in these attacks. Implementing multi-factor authentication for accounts and endpoints is also recommended to fortify defenses against such sophisticated cyber threats.