APT33, Elfin, Peach Sandstorm, HOLMIUM, Refined Kitten, Iran, aerospace, energy, petrochemical, spearphishing, password spraying, Outlook Home Page, Ruler, TurnedUp, DropShot, ShapeShift, StoneDrill
1. Executive Summary
APT33 is a suspected Iranian state-aligned threat actor assessed to have operated since at least 2013, with recurring espionage-led campaigns against aviation/aerospace and energy-linked organisations, alongside broader targeting across government and commercial sectors. (attack.mitre.org)
Multiple vendors assess the activity cluster overlaps with alternate names including Elfin (Broadcom/Symantec), Refined Kitten (CrowdStrike), MAGNALLIUM (Dragos), and Peach Sandstorm / HOLMIUM (Microsoft). (attack.mitre.org)
APT33’s intrusion set blends spearphishing and credential-based access (notably password spraying) with selective exploitation of client-side vulnerabilities, including Outlook Home Page abuse (CVE-2017-11774) and WinRAR ACE path traversal (CVE-2018-20250). (Microsoft)
While some reporting has speculated about destructive intent or links to wiper activity, at least one major vendor and Booz Allen both describe those linkages as unconfirmed or not independently verified in their respective analyses. (Google Cloud)
2. Contextual Background
2.1 Nature of the threat
APT33 is primarily characterised as an espionage-focused actor with persistent interest in sectors aligned to strategic state priorities (aerospace, energy/petrochemical, defence-adjacent supply chains), and periodic campaigns that also reach finance, telecoms, research, and government. (Google Cloud)
Public reporting associates APT33 operations with exploitation and tradecraft that frequently centres on:
- CVE-2017-11774 (Microsoft Outlook Security Feature Bypass) used in Outlook Home Page-style execution/persistence chains (often paired with credential access and tooling such as Ruler). (Microsoft)
- CVE-2018-20250 (WinRAR ACE path traversal) used in spearphishing delivery via crafted archives. (security.com)
- CVE-2017-0213 (Windows COM elevation of privilege) referenced as a privilege escalation option in some APT33 reporting and ATT&CK mappings. (attack.mitre.org)
Vendor advisory links (as required):
- CVE-2017-11774: Microsoft MSRC guidance (vendor advisory) and NVD. (NVD)
- CVE-2018-20250: WinRAR 5.70 security announcement (vendor guidance) and NVD. (WinRAR download free and support)
2.2 Threat-actor attribution (confidence)
Across multiple independent sources, APT33 is assessed as Iran-nexus and state-aligned:
- Mandiant (FireEye-era reporting) assesses APT33 operates “at the behest of the Iranian government”. (Google Cloud)
- CrowdStrike assesses Refined Kitten is “likely tied” to IRGC objectives. (CrowdStrike)
- Microsoft assesses Peach Sandstorm operates on behalf of the IRGC (based on victimology and operational focus). (Microsoft)
- Booz Allen attributes APT33 as Iran-based in its hunt report. (boozallen.com)
Assessment: Likely Iranian state-aligned (moderate confidence), based on consistent multi-vendor convergence, but without a single definitive public government attribution naming APT33 in the sources used above. (Google Cloud)
2.3 Sector and geographic targeting
Booz Allen documents primary focus on Saudi Arabia and the United States, while also listing additional targeted countries including the United Kingdom, UAE, South Korea, Belgium, and others. (boozallen.com)
Symantec reports Saudi Arabia accounted for a significant portion of observed Elfin activity (and notes multiple US targets, including major corporations). (security.com)
Microsoft’s Peach Sandstorm reporting extends observed targeting into sectors such as satellite/space, communications equipment, oil and gas, and government, including activity in the US and UAE (and, in some reporting, Australia). (Microsoft)
3. Technical Analysis
3.1 TTPs and ATT&CK mapping highlights
APT33’s commonly reported intrusion patterns include:
Initial access and delivery
- Job-themed spearphishing lures (attachments and links), including HTA-based delivery and archive attachments. (boozallen.com)
- Password spraying and subsequent use of valid cloud/on-prem credentials to pivot into email and endpoint execution paths. (Microsoft)
Execution, persistence, and post-compromise
- Script-based payload delivery via VBScript and PowerShell; scheduled task persistence; and registry run key / startup folder persistence patterns. (attack.mitre.org)
- Credential access via publicly available tools such as LaZagne/Mimikatz/Gpppassword; collection and archiving prior to exfiltration (eg WinRAR usage). (security.com)
C2 and infrastructure
- Domain masquerading (spoofing victim-like brands/themes) and use of dynamic DNS; more recently, Microsoft reports attacker-controlled Azure infrastructure and “azurewebsites[.]net” domains in Tickler-linked activity. (boozallen.com)
3.2 Exploitation status
In-the-wild exploitation and tooling availability
- Both CVE-2017-11774 and CVE-2018-20250 are reflected in NVD as present in CISA’s Known Exploited Vulnerabilities (KEV) catalogue. (NVD)
- Microsoft describes HOLMIUM/Peach Sandstorm using Ruler alongside compromised Exchange/Office 365 credentials to operationalise Outlook Home Page exploitation chains. (Microsoft)
- Mandiant describes continued real-world exploitation of CVE-2017-11774-style Home Page abuse and provides defensive hardening guidance (including registry/GPO enforcement). (Google Cloud)
Destructive capability (carefully scoped)
- Mandiant links DROPSHOT to SHAPESHIFT (wiper-capable) but states it had not directly observed APT33 carrying out destructive operations with SHAPESHIFT in the reporting period. (Google Cloud)
- Symantec notes speculation connecting Elfin and Shamoon, but reports no further evidence at the time to confirm Elfin’s responsibility. (security.com)
- Booz Allen similarly notes it was unable to independently verify attribution of Shamoon wiper attacks to APT33 (or a masquerading group). (boozallen.com)
4. Impact Assessment
4.1 Severity and scope
From a vulnerability perspective, commonly referenced client-side vectors in APT33 reporting carry CVSS v3.1 base scores of 7.8 (High) in NVD for both CVE-2017-11774 and CVE-2018-20250. (NVD)
Operationally, risk is elevated by the actor’s demonstrated willingness to combine “noisy” credential access (password spraying) with more targeted post-compromise tradecraft, including endpoint execution via email client features and persistence. (Microsoft)
Potential impacts typically align with:
- Strategic intelligence collection (technical data, operational planning, supply chain insight) in aerospace, energy, defence-adjacent industries. (Google Cloud)
- Business disruption risk in scenarios where wiper-capable tooling is present or suspected, even if attribution to destructive events remains unconfirmed in key sources. (Google Cloud)
4.2 Victim profile
Observed victimology across the cited sources includes:
- Aviation/aerospace, petrochemical/oil and gas, engineering, defence, satellite/space, communications equipment, and government entities. (Google Cloud)
- Geographic concentration in Saudi Arabia and the US, with additional targeting across Europe and elsewhere (including the UK). (security.com)
5. Indicators of Compromise (IOCs)
5.1 Publicly reported IOCs (selection)
| Type | Value | Context/Notes | Source |
|---|---|---|---|
| Domain | managehelpdesk[.]com | Reported C2 domain associated with commodity RAT activity in APT33 reporting | Mandiant (2017) (Google Cloud) |
| Domain | microsoftupdated[.]com | Reported C2 domain | Mandiant (2017) (Google Cloud) |
| Domain | osupd[.]com | Reported C2 domain | Mandiant (2017) (Google Cloud) |
| Domain/DDNS | mywinnetwork.ddns[.]net | Used in an Elfin case study chain (link/HTA and follow-on scripting) | Symantec (2019) (security.com) |
| Domain | www.chromup[.]com | Reported C2 domain for TURNEDUP | Mandiant (2017) (Google Cloud) |
| Domain | googlmail[.]net | Reported C2 domain for TURNEDUP | Mandiant (2017) (Google Cloud) |
| Domain | topaudiobook[.]net | Domain abused in 2019 HOLMIUM campaign observed by Microsoft | Microsoft (2020) (Microsoft) |
| Domain | customermgmt[.]net | Domain abused in 2019 HOLMIUM campaign observed by Microsoft | Microsoft (2020) (Microsoft) |
| Domain | subreviews.azurewebsites[.]net | Tickler-linked domain indicator | Microsoft (2024) (Microsoft) |
| Domain | satellite2.azurewebsites[.]net | Tickler-linked domain indicator | Microsoft (2024) (Microsoft) |
| SHA-256 | 7eb2e9e8cd450fc353323fd2e8b84fbbdfe061a8441fd71750250752c577d198 | Tickler sample filename reported by Microsoft | Microsoft (2024) (Microsoft) |
| SHA-256 | ccb617cc7418a3b22179e00d21db26754666979b4c4f34c7fda8c0082d08cec4 | “Sold.dll” indicator | Microsoft (2024) (Microsoft) |
| File path | C:\Users%username%\AppData\Local\Microsoft\Feeds\chfeeds.vbe | VBE payload path used in Symantec case study | Symantec (2019) (security.com) |
Note: This is a non-exhaustive subset of publicly disclosed indicators. Always validate against your own telemetry and current vendor reporting before operationalising blocks.
5.2 Detection guidance
Booz Allen hunt heuristics (examples)
- Look for Office processes spawning scripting engines (eg winword.exe → powershell.exe/cscript.exe/wscript.exe) and anomalous command-line children. (boozallen.com)
- Monitor for password spraying patterns across cloud identity and ADFS-style infrastructure, especially where MFA is absent or inconsistently enforced. (boozallen.com)
- Hunt for credential dumping tooling artefacts (eg Mimikatz-related strings in PowerShell logs) and abnormal LSASS access patterns. (boozallen.com)
Microsoft detections and queries
- Microsoft’s Tickler reporting includes Microsoft Defender and Sentinel-oriented queries and explicitly lists IOC domains and file hashes for matching. (Microsoft)
Example KQL-style starting points (adapt to your schema and retention):
// Possible password spray (high-volume failed sign-ins across many accounts)
// Tune thresholds for your environment and exclude known scanners.
SigninLogs
| where ResultType != 0
| summarize FailedAttempts=count(), Users=dcount(UserPrincipalName) by IPAddress, bin(TimeGenerated, 15m)
| where FailedAttempts > 50 and Users > 20
// Match a small sample of known domains from public reporting (expand carefully)
let domains = dynamic([
"managehelpdesk.com",
"microsoftupdated.com",
"osupd.com",
"topaudiobook.net",
"customermgmt.net",
"subreviews.azurewebsites.net",
"satellite2.azurewebsites.net"
]);
DeviceNetworkEvents
| where RemoteUrl has_any(domains)
| project TimeGenerated, DeviceName, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine
// Match publicly disclosed file hashes (example subset)
let sha256 = dynamic([
"7eb2e9e8cd450fc353323fd2e8b84fbbdfe061a8441fd71750250752c577d198",
"ccb617cc7418a3b22179e00d21db26754666979b4c4f34c7fda8c0082d08cec4"
]);
DeviceFileEvents
| where SHA256 in (sha256)
| project TimeGenerated, DeviceName, FolderPath, FileName, SHA256, InitiatingProcessFileName
6. Incident Response Guidance
6.1 Containment, eradication, recovery
- Identity containment first: reset affected accounts, revoke refresh tokens/sessions, and enforce MFA everywhere feasible; prioritise admin and email access roles given APT33’s repeated reliance on credential-based entry. (Microsoft)
- Email client hardening: if you suspect Outlook Home Page abuse, review and enforce protective registry/GPO settings (disable WebView where compatible) as described by Mandiant. (Google Cloud)
- Endpoint isolation: quarantine hosts with confirmed execution of HTA/VBS/PowerShell payload chains or with indicators consistent with TURNEDUP/DropShot/POWERTON-like tooling reported by vendors. (boozallen.com)
- Patch validation: confirm Outlook and WinRAR remediation status (and remove WinRAR ACE component exposure where relevant). (WinRAR download free and support)
6.2 Forensic artefacts to collect
- Authentication telemetry: ADFS/Entra ID sign-ins, conditional access logs, O365 audit logs, and mail access patterns. (Microsoft)
- Endpoint artefacts: PowerShell operational logs, scheduled task inventory, Run key changes, Outlook WebView-related registry keys, and suspicious HTA/VBE files. (security.com)
- Network artefacts: DNS/proxy logs and egress connections to known masquerading domains and cloud-hosted infrastructure. (boozallen.com)
6.3 Lessons learned and preventive recommendations
- Treat password spraying as a continuous control gap indicator: enforce MFA, adopt smart lockout controls, and monitor for credential stuffing conditions across SaaS and perimeter auth. (Microsoft)
- Reduce “living off email”: lock down Outlook features that can be operationalised for execution/persistence, and consider additional monitoring around mail client registry settings. (Google Cloud)
7. Threat Intelligence Contextualisation
7.1 Comparisons to similar incidents
APT33’s blended model of spearphishing plus credential access aligns with broader Iranian intrusion patterns documented by multiple vendors, but its repeated emphasis on aerospace/energy and email-client execution paths (Outlook Home Page abuse) stands out in the cited reporting. (Google Cloud)
Dragos notes MAGNALLIUM (linked to APT33) remains focused on initial IT intrusions and lacks ICS-specific capability, which is consistent with observations that the group targets ICS-adjacent organisations without necessarily demonstrating control-system disruption tooling in public reporting. (dragos.com)
7.2 Full MITRE ATT&CK mapping (summary table)
| Tactic | Technique ID | Technique Name | Observed Behaviour |
|---|---|---|---|
| Initial Access | T1566.001 (attack.mitre.org) | Spearphishing Attachment | Job-themed lures, archive attachments, malicious docs (boozallen.com) |
| Initial Access | T1566.002 (attack.mitre.org) | Spearphishing Link | Links to HTA/HTML app payloads (attack.mitre.org) |
| Credential Access | T1110.003 (attack.mitre.org) | Password Spraying | High-volume password spray against cloud tenants (Microsoft) |
| Initial Access / Persistence | T1078 (attack.mitre.org) | Valid Accounts | Use of compromised O365/Exchange creds (attack.mitre.org) |
| Execution | T1059.001 (attack.mitre.org) | PowerShell | Scripted download/execution and post-exploitation (attack.mitre.org) |
| Execution / Persistence | T1053.005 (attack.mitre.org) | Scheduled Task | Recurring execution of VBE payloads (attack.mitre.org) |
| Persistence | T1547.001 (attack.mitre.org) | Registry Run Keys / Startup Folder | Run key and startup folder persistence reported (attack.mitre.org) |
| Execution | T1203 (attack.mitre.org) | Exploitation for Client Execution | WinRAR and Outlook client-side exploitation (attack.mitre.org) |
| Persistence | T1137 (attack.mitre.org) | Office Application Startup | Outlook Home Page execution/persistence pattern (Google Cloud) |
| Command and Control | T1071.001 (attack.mitre.org) | Web Protocols | HTTP-based C2 reported in ATT&CK mapping (attack.mitre.org) |
| Collection | T1560.001 (attack.mitre.org) | Archive via Utility | WinRAR used to stage/compress data (attack.mitre.org) |
| Exfiltration | T1048.003 (attack.mitre.org) | Exfiltration Over Unencrypted Non-C2 Protocol | FTP exfiltration referenced in ATT&CK mapping (attack.mitre.org) |
| Credential Access | T1003.001 (attack.mitre.org) | LSASS Memory | Credential dumping with public tooling (attack.mitre.org) |
8. Mitigation Recommendations
8.1 Hardening and best practices
- Enforce MFA for all remote access and cloud identities, especially email and privileged roles; apply conditional access policies that restrict risky sign-ins and enforce strong auth. (Microsoft)
- Reduce credential reuse and exposure: adopt phishing-resistant MFA where feasible, strengthen lockout and password policies, and monitor for password spray patterns. (Microsoft)
- Email execution controls: block or tightly control HTA/VBS execution paths, and apply attachment detonation/sandboxing for archives and Office documents. (security.com)
8.2 Patch management and interim workarounds
Prioritise remediation for exploited client vectors referenced in APT33 reporting:
- CVE-2017-11774 (Outlook): ensure Microsoft patches are applied, and apply the additional Outlook hardening guidance (GPO/registry enforcement) described by Mandiant to prevent patch “override” scenarios. (Google Cloud)
- CVE-2018-20250 (WinRAR): upgrade to WinRAR 5.70+ and remove ACE support exposure; WinRAR also advised deleting UNACEV2.DLL as a protective measure if upgrades cannot be immediately performed. (WinRAR download free and support)
9. Historical Context & Related Vulnerabilities
- Booz Allen’s APT33 hunt report explicitly lists CVE-2017-11774, CVE-2018-20250, and CVE-2017-0213 as CVEs used by APT33 in its tracking. (boozallen.com)
- Mandiant reports APT33 adoption of CVE-2017-11774 techniques from mid-2018 for broader campaigns and highlights that attackers can re-enable vulnerable Outlook behaviours via user-hive registry changes unless hardening controls are continuously enforced. (Google Cloud)
- Symantec’s reporting details attempted exploitation of CVE-2018-20250 in early 2019 within a spearphishing context. (security.com)
10. Future Outlook
Microsoft’s 2023–2024 reporting suggests ongoing evolution in Iranian cloud and identity tradecraft, including large-scale password spraying paired with more targeted follow-on activity, and the use of attacker-controlled Azure infrastructure for command-and-control in some operations. (Microsoft)
Given APT33’s history of alternating between broad credential access phases and tailored intrusion chains, defenders should expect continued blending of opportunistic access attempts with selective high-value targeting in aerospace, energy, defence/space, and related supply chains. (CrowdStrike)
11. Further Reading
- Booz Allen: APT33 Hunt Report (tradecraft, targeting tables, hunt logic) (boozallen.com)
- Mandiant: APT33 targets aerospace and energy sectors (DropShot/TurnedUp context and early IOC set) (Google Cloud)
- Broadcom/Symantec: Elfin (APT33) report (victimology, WinRAR exploitation context, toolset examples) (security.com)
- Microsoft: Peach Sandstorm password spray campaigns (identity tradecraft and overlap statement) (Microsoft)
- Microsoft: Tickler malware operations (IOC list, Azure infrastructure observations) (Microsoft)
- Mandiant: Outlook Home Page attacks and defensive hardening for CVE-2017-11774 (Google Cloud)
- MITRE ATT&CK: APT33 group entry (G0064) (attack.mitre.org)