APT33

apt33 · primary source: MITRE · first observed 2012

IR · IranState-sponsoredModerate confidencelast cited Sep 13, 2023 · 3y ago

Iranian state-sponsored actor with strategic intelligence interest in the global energy supply chain. Long-running password-spray and credential-theft campaigns against aviation and defense industrial bases, especially organizations linked to Saudi Arabian, U.S., and South Korean petrochemical and aerospace work.

Aliases

Refined KittenCrowdStrikeHOLMIUMMicrosoftPeach SandstormMicrosoftElfinOther

Motivations

espionage

Target sectors

energyaviationdefensepetrochemical

Target countries

SAUSKRAE

Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary

APT33
Iran
espionage

Capability

Infrastructure

subreviews.azurewebsites.net

Victim

energy
aviation
defense
SA
US
+1 more

MITRE ATT&CK techniques

T1110.003 T1078.004 T1133 T1567

Timeline

1 event

ReportHigh2023-09-14·Microsoft Threat Intelligence
Peach Sandstorm password-spray campaign against defense industry
Microsoft Threat Intelligence reported that Peach Sandstorm (APT33) had been running a sustained password-spray campaign against the defense industrial base, satellite operators, and pharmaceutical sectors throughout 2023, deploying the Tickler backdoor on successfully accessed accounts.
password-sprayirandefense

Indicators of compromise

3 indicators

defangedcsv

Type	Value	First seen	Source
Domain	subreviews[.]azurewebsites[.]net family · Tickler Azure App Service C2 subdomain associated with Tickler backdoor activity. Microsoft's August 2024 Peach Sandstorm report lists this in the IOC appendix alongside other actor-controlled azurewebsites.net subdomains used to abuse fraudulent Azure tenants for command-and-control.	Mar 31, 2024	Microsoft
SHA-256	7eb2e9e8cd450fc353323fd2e8b84fbbdfe061a8441fd71750250752c577d198 family · Tickler Tickler custom multi-stage backdoor sample published by Microsoft Threat Intelligence in August 2024 as part of Peach Sandstorm operations against satellite, oil-and-gas, communications and US/UAE federal and state government targets observed April-July 2024.	Mar 31, 2024	Microsoft
Name	go-http-client User-agent string Microsoft observed in the Feb-Jul 2023 Peach Sandstorm password-spray wave against thousands of organizations in satellite, defense and pharmaceutical sectors. Sprays were routed through TOR exit nodes; Microsoft attributes the activity to overlaps with APT33 / Elfin / Refined Kitten.	Jan 31, 2023	Microsoft

Related actors

shared ATT&CK techniques

CN · ChinaAPT102 shared techniques
- T1078.004
- T1133
RU · RussiaAPT282 shared techniques
- T1110.003
- T1133
CN · ChinaAPT312 shared techniques
- T1078.004
- T1133
CN · ChinaAPT402 shared techniques
- T1078.004
- T1133
RU · Russia8Base1 shared technique
- T1133
?? · UnknownAkira1 shared technique
- T1133

References

G0064 — APT33
MITRE ATT&CK

cite this page

Threat Intel Tracker. (2026-05-19). APT33 — actor profile. Retrieved from https://threatintel.local/actors/apt33

latest cited activity · 2023-09-14 · 3 cataloged indicators