Microsoft ranked those targets by the number of accounts hackers tried to crack; Moran says about half of the top 25 were manufacturers, suppliers, or maintainers of industrial control system equipment. In total, Microsoft says it has seen APT33 target dozens of those industrial equipment and software firms since mid-October.The hackers' motivation—and which industrial control systems they've actually breached—remains unclear. Moran speculates that the group is seeking to gain a foothold to carry out cyberattacks with physically disruptive effects. "They're going after these producers and manufacturers of control systems, but I don’t think they’re the end targets," says Moran. "They‘re trying to find the downstream customer, to find out how they work and who uses them. They’re looking to inflict some pain on someone’s critical infrastructure that makes use of these control systems."
The shift represents a disturbing move from APT33 in particular, given its history. Though Moran says Microsoft hasn't seen direct evidence of APT33 carrying out a disruptive cyberattack rather than mere espionage or reconnaissance, it's seen incidents where the group has at least laid the groundwork for those attacks. The group's fingerprints have shown up in multiple intrusions where victims were later hit with a piece of data-wiping malware known as Shamoon, Moran says. McAfee last year warned that APT33—or a group pretending to be APT33, it hedged—was deploying a new version of Shamoon in a series of data-destroying attacks. Threat intelligence firm FireEye has warned since 2017 that APT33 had links to another piece of destructive code known as Shapeshifter .Moran declined to name any of the specific industrial control system, or ICS, companies or products targeted by the APT33 hackers. But he warns that the group's targeting of those control systems suggests that Iran may be seeking to move beyond merely wiping computers in its cyberattacks. It may hope to influence physical infrastructure. Those attacks are rare in the history of state-sponsored hacking, but disturbing in their effects; in 2009 and 2010 the US and Israel jointly launched a piece of code known as Stuxnet , for instance, that destroyed Iranian nuclear enrichment centrifuges. In December of 2016, Russia used a piece of malware known as Industroyer or Crash Override to briefly cause a blackout in the Ukrainian capital of Kyiv . And hackers of unknown nationality deployed a piece of malware known as Triton or Trisis in a Saudi Arabian oil refinery in 2017 designed to disable safety systems. Some of those attacks—particularly Triton—had the potential to inflict physical mayhem that threatened the safety of personnel inside the targeted facilities.
Iran has never been publicly tied to one of those ICS attacks. But the new targeting Microsoft has seen suggests it may be working to develop those capabilities. "Given their previous modus operandi of destructive attacks, it stands to reason that they’re going after ICS," says Moran.