Iran-linked hackers targeting Saudi petrochemicals and aerospace dealings

Iran-linked hackers targeting Saudi petrochemicals and aerospace dealings
© Getty Images

Researchers at the cybersecurity firm FireEye have outlined a state-sponsored hacker group interested in Saudi Arabian aerospace and petrochemical dealings that they believe is based in Iran.

The hacker group, dubbed APT 33, used phishing emails disguised as help-wanted ads to lure employees at American companies involved with Saudi Arabian aviation, South Korean companies that do business with the Saudi Arabian petrochemical industry and Saudi Arabian holding companies and organizations.


FireEye believes the group is Iranian due to malware source code from the group containing testing commands designed to save results to files within the "user" folder of "xman_1365_x" on a Windows hard drive. Xman_1365_x is the nickname of an Iranian hacker. 

FireEye also noted that the hackers monitored and commanded hacked systems between Saturday and Wednesday — a work week unique to Iran.  

Hackers also used infrastructure, like hosting companies, located in Iran and tools associated with Iranian hackers. 

Some malware used by the group was first publicly identified by Kaspersky Lab, who did not attribute the group to Iran.