Tue. Nov 24th, 2020

Iranian-Linked Hacking Group Has Built Its Own VPN

Password on screen

The infamous Iranian state-sponsored hacking group — Apt33 — is operating a private VPN to help avoid detection.


In 2012, the group was responsible for the Shamoon malware, which was used to wipe the hard drives of more than 35,000 workstations at Saudi Arabia’s Saudi Aramco. And, earlier in July, US Cyber Command issued a warning via Twitter about APT33 attacks that used an old Outlook vulnerability to target victims in the US.


But the attacks don’t stop there.


According to TechRadar, this year alone, the group has “infected an American company that provides national security services, a university and a college in the US, a victim associated with the US military and several other victims in the Middle East and Asia.”


Crimes this sophisticated require stealth. And, researchers at Trend Micro say that instead of using a commercial VPN, Apt33 has set up and was operating its own private VPN.

“APT33 used its private VPN network to access websites of penetration testing companies, webmail, websites on vulnerabilities, and websites related to cryptocurrencies, as well as to read hacker blogs and forums. APT33 also has a clear interest in websites that specialize in the recruitment of employees in the oil and gas industry.”


On the plus side, however, the custom-built VPN has made the group easier to track.

“Setting up a private VPN can be easily done by renting a couple of servers from data centers around the world and using open source software like OpenVPN. Though the connections from private VPN networks still come from seemingly unrelated IP addresses around the world, this kind of traffic is actually easier to track. Once we know that an exit node is mainly being used by a particular actor, we can have a high degree of confidence about the attribution of the connections that are made from the IP addresses of the exit node.”


For more information about Apt33, click here.