Thousands of employees at more than 200 countries have fallen victim to a widespread campaign carried out by Iranian hackers over the last two years.
According to Microsoft, which briefed The Wall Street Journal on the attacks, the incidents have been "destructive... massively destabilizing events" that have resulted in millions of dollars in lost productivity and data to date.
Microsoft is attributing the attacks to APT 33, a group linked to Iran it calls Holmium. keeping with the company's trend of naming APT groups after chemical elements (it refers to APT 28 as Strontium).
According to the publication, which spoke to John Lambert, the head of Microsoft’s Threat Intelligence Center, more than 2,200 people have been targeted with phishing emails as part of the campaign. While not technically skilled - phishing is often thought of as one of the most unsophisticated attack vectors – the campaign is far-reaching. Companies, mostly unnamed, in Saudi Arabia, Germany, India, Britain, and some parts of the U.S. have been hit as part of the attack.
Details on the campaign are scant outside of the fact that the group was able to abscond corporate secrets from oil and gas firms, heavy machinery manufacturers, and international companies. After infiltrating the systems via phishing attacks, attackers managed to erase data on some of the machines it infected, likely in an attempt to cover their tracks. It's unclear exactly what type of data the attackers were or have been after, although it's not far fetched to assume it's valuable intellectual property or proprietary in nature.
The campaign is apparently one in the same as one uncovered earlier this year by FireEye, which in January said an Iranian group was hijacking DNS records to redirect traffic from companies worldwide through its own servers. That report, published by FireEye's Mandiant team, didn't name the exact companies affected by the campaign either but said it impacted telecoms, ISP providers, internet infrastructure providers, government, and sensitive commercial entities, and has been effect since January 2017.
FireEye's finding pressured the U.S. Department of Homeland Security to issue an Emergency Directive – the first ever – to warn government entities of DNS hijacking attacks that same month.
“[The Cybersecurity and Infrastructure Security Agency] (CISA) is aware of multiple executive branch agency domains that were impacted by the tampering campaign and has notified the agencies that maintain them,” read the Emergency Directive issued by CISA. In the Directive, CISA encouraged all admins overseeing .gov or agency-managed domains to audit public DNS records on DNS servers to ensure they were going to the right location.
Only one of the 200 some odd companies, Saipem S.p.A., an Italian oil and gas contractor, confirmed to the WSJ that it was hit by the campaign, saying an attack in December 2018 took out data at facilities in the Middle East, Scotland, and Italy.
Microsoft, which deployed incident response teams to the affected companies, has been investigating the APT group for four years but claims its activity escalated in 2018.