Menu
Browse

Cyber Threat Actor: APT33

Aliases: 4 aliases
Actor Type Location Known Incidents
 Icon
Nation State
Iran
5 incidents
Profile

APT33, also tracked as Elfin, Refined Kitten and Magnallium, is an Iranian state‑sponsored threat actor that has been publicly linked to a series of cyber operations targeting critical infrastructure and government entities across multiple regions. The group is believed to operate from Iran and has been observed using a range of aliases in security reporting and attribution statements. Its activities have included attempts to gain persistent access to electric utilities, oil and gas facilities, water treatment systems, aviation networks and passport control platforms, with observed effects ranging from credential harvesting to destructive data wiping.

The actor’s typical tactics involve password‑spraying campaigns designed to guess common passwords across large numbers of user accounts, often combined with exploitation of virtual private network vulnerabilities to establish initial footholds. In several reported incidents APT33 has deployed wiper malware families such as Dustman—a derivative of earlier Iranian wipers like ZeroCleare—that overwrites master boot records and propagates via SMB to destroy data on infected hosts. The group has also been associated with the use of Shamoon variants in attacks against energy sector organizations, although attribution for those specific samples remains less certain. These methods reflect a focus on obtaining network access followed by either data exfiltration or destructive disruption, depending on the objective of the operation.

Representative operations attributed to APT33 include the 2022 intrusion against Albania’s Total Information Management System that disrupted passport controls at borders and airports, the 2019 deployment of Dustman against Bahrain’s national oil company that caused partial data loss and system crashes, and a prolonged 2019‑2020 campaign of password‑spraying and VPN exploitation against U.S. electric utilities and oil and gas firms conducted in cooperation with the Parisite group. Additional publicly reported actions involve attempts to manipulate chlorine levels in Israeli water treatment facilities in 2020 and a broad set of cyber‑efforts targeting aviation systems during a high‑profile diplomatic event in Israel the same year. These examples illustrate the actor’s recurring interest in sectors that support essential services and its willingness to employ both stealthy access techniques and destructive payloads to achieve its goals.

Incidents
Attributed incidents available to members
5 incidents
Sources
Sources available to members
2 sources