Close this search box.

Throwback Attack: Elfin team changes tactics

Courtesy: Brett Sayles
Courtesy: Brett Sayles

In recent years, cybersecurity in critical infrastructure has been at the forefront of people’s minds. With attacks on the U.S.’s critical infrastructure, such as Colonial Pipeline, Kemuri Water Company and many more, cybersecurity threats aren’t going away any time soon. According to the Center for Strategic and International Studies (CSIS), the top nation-state threat actors that threaten the U.S.’s national security are China, Russia, Iran and North Korea. All of these countries have notable attacks linked to them, and they weren’t long ago, such as Iran’s advanced persistent threat (APT33) — the Elfin espionage group.

In 2013, the Elfin team formed, targeting commercial and governmental sectors in Saudi Arabia, South Korea and the U.S. — they have been active as recently as 2020. They tend to prey on the aerospace, defense and petrochemical industries. Their targets in 2019 were no different; however, instead of their normal attack efforts starting with spear-phishing and using a combination of malware and tools, they exploited the WinRAR, a file archiving utility, vulnerability to attack, as to steal information rather than destroy it.

Elfin history and background

Elfin rose to fame in late 2016 after using targeted phishing attacks and domain-spoofing to deliver the Shamoon wiper malware. They have been tied to many cyberattacks throughout the years, such as compromising a U.S. organization in the aerospace sector, targeted a business conglomerate in Saudi Arabia with aviation holdings and a South Korean company involved in oil refining and petrochemicals.

Even in recent years, the group has been highly active, attacking at least 50 organizations ranging in many fields, such as engineering, chemical, research and healthcare organizations in countries across Europe, U.S. and the Middle East and North Africa (MENA). Elfin has gone so far as to register domains to impersonate many companies, such as Boeing, Alsalam Aircraft Company, Northrop Grumman and Vinnell and featured recruitment-themed lures.

The group has been tied to Iran. This has been inferred given their targets, the hacking tools and DNS servers they use, as well as the observation of the activities taking place during a time zone that coincides with Iran’s Daylight Time. The tools and servers that Elfin uses are ones that other suspected Iranian threat groups, such as Shamoon, StoneDrill, Dropshot, Turnedup and others use. According to a CSO article, “Based on its tactics and targets, our assessment is that Elfin is a state-sponsored espionage group,” says Dick O’Brien, researcher at Symantec’s Security Response. “Given the nature of the group and its targets, we can only speculate that the information in question is likely to be of a strategic or economic interest to Elfin’s sponsors.”

The 2019 Elfin attack attempt

The group went from destructive attacks — with wipers that would destroy data — to focusing on spear phishing and exploiting known vulnerabilities in common software. While their attack strategies have changed, their targets had not. In the same CSO article, O’Brien said, “The main point of entry in recent attacks has been spear-phishing emails capable of delivering malware to the recipient’s computer. The group has also attempted to exploit the recently patched WinRAR vulnerability attacks.”

In February 2019, Elfin attempted to exploit CVE-2018-20250, a vulnerability in WinRaR. WinRaR is a popular file archiving utility for Windows that can create and view archives in RAR or ZIP file formats. The vulnerability in WinRaR went undetected for nearly 20 years and is dangerous because there is not an automatic update mechanism for it, which is installed on millions of machines worldwide.

One of the specific targets of this attack was a company in Saudi Arabia that was in the chemical sector. Two people, who worked at the targeted company, received a file called “JobDetails.rar.” How this kind of attack works is that after the phishing emails have been sent to targeted companies, the victim is encouraged to download a file, JobDetails.rar, which then tries to use vulnerability CVE-2018-20250 in WinRAR to their advantage. Luckily, Symantec had recently put out proactive measures against any attempt of exploiting this vulnerability.

If this vulnerability had been exploited before the patch or on an unpatched system, an attacker would have been able to install any file on the computer, which effectively permits code execution on the targeted computer, according to Symantec in an Infosecurity article.

Sending a message

Elfin is only one example of a state-sponsored espionage group. It has been active for almost a decade and seems to be firmly in the sights of the U.S. Justice and Treasury Departments. All of the indictments, sanctions and regulations that have recently been passed show that the U.S. government sees the threats as they are, and they can’t hide in the shadows forever. These government actions show ATP groups that they are being taken seriously, and it also sends a message to other groups that may have believed they were operating anonymously.




Keep your finger on the pulse of top industry news