As political tensions between the United States and Iran continued to rise over the course of 2019, the Iranian-based threat actor, known as APT33, became more active. Increasing geopolitical tensions resulted in backlashes against the private sector as a method to disable, disrupt, and destabilize governments. Throughout Mandiant’s investigation, we observed ties between U.S. sanctions, military operations, and cyber activity. APT33’s tradecraft included trojanized executables, Run keys, scheduled tasks, services, and Windows Management Instrumentation (WMI). Evidence showed that APT33 strategically harvested credentials from thousands of systems, performed data staging, and remained undetected for years.

APT33 has shown specific interest in aerospace & defense, energy & utilities, and oil & gas industries. We believe that Iranian-based threat actors, such as APT33 will continue to become more prolific as political tensions with Iran continue to rise. Raising industry awareness of this attacker’s methodology is critical to protect companies from this threat.

This presentation will recount Mandiant’s investigation from the perspective of the incident responders and will detail how it scoped, contained, and eradicated APT33 from the environment. Attendees of this presentation will come away with a deep technical understanding of the persistence, lateral movement, and data staging techniques used by APT33.

Daniel Chun and Steve Rasch

Daniel Chun is a Senior Incident Response Consultant in Mandiant’s Phoenix office. As a part of the Incident Response team, Mr. Chun provides emergency services to clients when a security breach occurs.

Prior to joining Mandiant, Mr. Chun spent time as a consultant where he helped build security programs, conducted investigations, and delivered training. He has been involved in malware analysis, payment card forensic investigations (PFI), and security operations development in various industries; including healthcare, industrial, financial, aerospace, and hospitality.

Steve Rasch is a Principal Incident Response Consultant in Mandiant’s Phoenix office.  As part of the Incident Response Team, Mr. Rasch focuses on incident response, compromise assessments, and computer forensics.

Prior to joining Mandiant, Mr. Rasch was a Senior Information Security Engineer for General Dynamics Missions Systems for over 4 years.  During this time, Mr. Rasch’s primarily served as an incident response lead and computer forensics analyst.