Written by Sean Lyngaas

In the last two months, an aggressive hacking group linked with the Iranian government has made a troubling shift in its targeting, security researchers at Microsoft say. Instead of simply probing IT networks, the hackers have gone after a series of industrial control system (ICS) products used in the energy sector.

Given that the group, known as APT33, has been linked with data-wiping hacks in the past, the new activity has analysts’ full attention. It fits a broader trend in state-linked activity in which attackers have been increasingly willing to probe industrial software to achieve their objectives.

“You have an actor that has been linked to deployment of destructive payloads in the past,” said Microsoft security researcher Ned Moran, laying out his concerns. “You have an actor that’s really interested in the energy industry,” which includes important infrastructure such as pipelines and refineries.

What APT33’s objectives are in its latest activity is an open question. The hackers could simply be collecting data on the targets rather than trying to disrupt them. But Moran felt the issue pressing enough to warn the cybersecurity industry about it in a presentation Thursday at CYBERWARCON in Arlington, Virginia.

Moran shared a new batch of APT33 data from Microsoft, which has some of the widest visibility of state-sponsored hacking in the cybersecurity industry. From roughly June to October, the Iranian hackers were probing tens of thousands of IT-focused organizations with a technique called password spraying that throws common passwords at targets.

But in October and November, the number of targeted organizations fell to about 2,000 per month, while the number of targeted accounts per organizations jumped tenfold. Many of those recent targets, Moran said, were ICS vendors and suppliers, and the consulting firms that work in that sector. He did not elaborate on the targets. But APT33, also known as Holmium and Refined Kitten, has previously focused on U.S. and Saudi Arabia-based organizations, including those in the defense, transportation, and oil and gas sectors.

Moran cautioned attendees not to mistake APT33’s noisy behavior — the password-spraying isn’t hard for Microsoft to notice — with a lack of sophistication.

“They are operationally, very sophisticated, and they pay careful, careful attention to op-sec,” Moran said. “They’re deliberate. They make subtle changes to their tactics over time.”

John Hultquist, director of intelligence analysis at security firm FireEye, put the threat posed by Iranian hackers in stark terms.

“The Iranian cyberthreat is a clear and present danger to critical infrastructure operators, especially given the state of affairs between Iran and their adversaries,” Hultquist told CyberScoop. “If they are seeking to gain access to the critical infrastructure supply chain they could leverage this access to carry out a significant attack.”

Wired was first to report on the recent APT33 activity.