Hacking hands
FireEye exposed APT33, a suspected Iranian hacking unit iStock

A group of hackers suspected of working in Iran for its government is targeting the aviation and energy industries in Saudi Arabia, the US and South Korea, a cybersecurity firm warned Wednesday (20 September 2017).

The report by FireEye also said the suspected Iranian hackers left behind a new type of malware that could have been used to destroy the computers it infected, an echo of two other Iran-attributed cyberattacks targeting Saudi Arabia in 2012 and 2016 that destroyed systems.

Iran's office at the United Nations did not immediately respond to a request for comment Wednesday and its state media did not report on the claims.

However, suspected Iranian hackers have long operated without caring if people found it was them or if there would be consequences, making them incredibly dangerous, said Stuart Davis, a director at one of FireEye's subsidiaries.

"Today, without any repercussions, a neighbouring country can compromise and wipe out 20 institutions," Davis said.

FireEye refers to the group as APT33, an acronym for "advanced persistent threat".

"APT33 has targeted organisations – spanning multiple industries – headquartered in the United States, Saudi Arabia and South Korea," FireEye said in its report.

The researchers said that the team's hackers have "shown particular interest in organisations in the aviation sector involved in both military and commercial capacities, as well as organisations in the energy sector with ties to petrochemical production".

The report added: "We assess the targeting of multiple companies with aviation-related partnerships to Saudi Arabia indicates that APT33 may possibly be looking to gain insights on Saudi Arabia's military aviation capabilities to enhance Iran's domestic aviation capabilities."

They used phishing email attacks with fictional job opportunities to gain access to the companies affected, faking domain names to make it look like the messages came from defence contractors.

The hackers remained inside of the systems of those affected for "four to six months" at a time, able to steal data and leaving behind the malware that FireEye refers to as Shapeshifter.

The coding contains Farsi-language references, the official language of Iran, FireEye said.

Timestamps in the code also correspond to hackers working from Saturday to Wednesday, the Iranian workweek, Davis said.

The programmes used in the campaign are popular with Iranian coders, servers were registered via Iranian companies and one of the spies appears to have accidentally left his online handle, "xman_1365_x", in part of the computer code.

That name "shows up all over Iranian hacker forums," FireEye's John Hultquist said. "I don't think they're worried about being caught. They just don't feel like they have to bother."

One of the email addresses used to register a malicious server belongs to an Ali Mehrabian, who used the same address to create more than 120 Iranian websites over the past six years.

Computer code
Special malware was used in the hacking, FireEye said Markus Spiske/Unsplash

Neither Mehrabian, who listed himself as living in Tehran, nor "xman_1365_x" returned emails seeking comment.

Iran developed its cyber-capabilities in 2011 after the Stuxnet computer virus destroyed thousands of centrifuges involved in Iran's contested nuclear program.

Stuxnet is widely believed to be an American and Israeli creation.

Iran is believed to be behind the spread of Shamoon in 2012, which hit Saudi Arabian Oil Co. and Qatari natural gas producer RasGas.

The virus deleted hard drives and then displayed a picture of a burning American flag on computer screens. Saudi Aramco ultimately shut down its network and destroyed over 30,000 computers.

A second version of Shamoon raced through Saudi government computers in late 2016, this time having the destroyed computers display a photograph of the body of 3-year-old Syrian boy Aylan Kurdi, who drowned fleeing his country's civil war. Suspicion again fell on Iran.

FireEye's report said it believed APT33 "is likely in search of strategic intelligence capable of benefiting a government or a military sponsor".

High on the list of any potential suspects within Iran would be its paramilitary Revolutionary Guard.

US prosecutors in March 2016 accused hackers associated with Guard-linked companies of attacking dozens of banks and a small dam near New York City.

Hackers linked to the Guard also have been suspected of targeting the email and social-media accounts of Obama administration officials.