Iranian hacking group built its own VPN network

Security researchers identify APT33's private network of 21 VPN nodes.

DDoS Globe Internet Map Traffic

One of Iran's elite state-sponsored hacking groups has built and has been operating its own private network of VPN nodes, which they've using to connect to hacking infrastructure, perform reconnaissance on future targets, and even casual web browsing, according to research published today by cyber-security firm Trend Micro.

The group, tracked in cyber-security circles under the codename of APT33, is, by far, Iran's most sophisticated hacking unit.

They are the ones who developed the disk-wiping malware known as Shamoon (DistTrack) that destroyed over 35,000 workstations at Saudi Arabia's Saudi Aramco in 2012.

Recently, the group has resurfaced with new attacks, primarily targeting the oil and aviation industries, and even deploying a new version of the Shamoon malware, late last year.

In 2019, APT33 operations have relied on classic spear-phishing operations and sometimes on the use of a clever Outlook vulnerability.

Per Trend Micro, confirmed APT33 infections in 2019 include a private American company that offers services related to national security, victims connected to a university and a college in the US, a victim most likely related to the US military, and several victims in the Middle East and Asia.

Tracking down APT33's infrastructure

But researchers say that while investigating these hacks, they were able to gain insight into how APT33 manages its hacking infrastructure.

According to researchers, everything is layered and isolated, to keep APT33 operators underneath a cloak of secrecy from incident responders.

Based on a hand-drawn schema shared by Trend Micro researchers, there are four layers between APT33 operators and their targets.

  • VPN layer -- a custom-built network of VPN nodes to hide the operator's real IP address and location
  • Bot Controller layer -- an intermediary layer of servers
  • C&C Backend layer -- the actual backend servers through which the group manages its malware botnets
  • Proxy layer -- a collection of cloud proxy servers through which C&C (command-and-control) servers hide from infected hosts
apt-nfrastructure.jpg

Image: Trend Micro

But what stood out to researchers was the fact that APT33 was not using commercial VPN servers to hide their location, as some hacking groups tend to do.

Instead, the group had set up and was operating its own private VPN network.

"Setting up a private VPN can be easily done by renting a couple of servers from data centers around the world and using open source software like OpenVPN," researchers said.

APT33's custom VPN network was a big mistake

But what APT33 didn't know was that this, actually, made them easier to track. Researchers only had to keep an eye out for a few IP addresses. If APT33 had used a commercial VPN provider's network, then they would have seamlessly melted into all the other legitimate traffic.

"APT33 likely uses its VPN exit nodes exclusively," Trend Micro said. "We have been tracking some of the group's private VPN exit nodes for more than a year, and we have listed known associated IP addresses in the table below."

apt33-vpns.png

Image: Trend Micro

But besides connecting to their malware botnet control panels, Trend Micro said that the group had also used the same private VPN exit nodes "for reconnaissance of networks that are relevant to the supply chain of the oil industry."

"More concretely, we have witnessed some of the IP addresses in Table 3 doing reconnaissance on the network of an oil exploration company and military hospitals in the Middle East, and an oil company in the U.S.," researchers said.

"APT33 also has a clear interest in websites that specialize in the recruitment of employees in the oil and gas industry," Trend Micro's team said. "We recommend companies in the oil and gas industry to cross-relate their security log files with the IP addresses listed above."

In addition, Trend Micro said APT33 also used its private VPN network to access websites of penetration testing companies, webmail, websites on vulnerabilities, and cryptocurrency hacking sites.

Additional indicators of compromise (IoCs) for APT33's recent hacking operations are available in the Trend Micro report, here.