Iranian hackers have carried out some of the most disruptive acts of digital sabotage of the last decade, wiping entire computer networks in waves of cyberattacks across the Middle East and occasionally even the US. But now one of Iran's most active hacker groups appears to have shifted focus. Rather than just standard IT networks, they're targeting the physical control systems used in electric utilities, manufacturing, and oil refineries.

At the CyberwarCon conference in Arlington, Virginia, on Thursday, Microsoft security researcher Ned Moran plans to present new findings from the company's threat intelligence group that show a shift in the activity of the Iranian hacker group APT33, also known by the names Holmium, Refined Kitten, or Elfin. Microsoft has watched the group carry out so-called password-spraying attacks over the past year that try just a few common passwords across user accounts at tens of thousands of organizations. That's generally considered a crude and indiscriminate form of hacking. But over the last two months, Microsoft says APT33 has significantly narrowed its password spraying to around 2,000 organizations per month, while increasing the number of accounts targeted at each of those organizations almost tenfold on average.

Microsoft ranked those targets by the number of accounts hackers tried to crack; Moran says about half of the top 25 were manufacturers, suppliers, or maintainers of industrial control system equipment. In total, Microsoft says it has seen APT33 target dozens of those industrial equipment and software firms since mid-October.

The hackers' motivation—and which industrial control systems they've actually breached—remains unclear. Moran speculates that the group is seeking to gain a foothold to carry out cyberattacks with physically disruptive effects. "They're going after these producers and manufacturers of control systems, but I don’t think they’re the end targets," says Moran. "They‘re trying to find the downstream customer, to find out how they work and who uses them. They’re looking to inflict some pain on someone’s critical infrastructure that makes use of these control systems."

"Given their previous modus operandi of destructive attacks, it stands to reason that they’re going after ICS." Ned Moran, Microsoft

The shift represents a disturbing move from APT33 in particular, given its history. Though Moran says Microsoft hasn't seen direct evidence of APT33 carrying out a disruptive cyberattack rather than mere espionage or reconnaissance, it's seen incidents where the group has at least laid the groundwork for those attacks. The group's fingerprints have shown up in multiple intrusions where victims were later hit with a piece of data-wiping malware known as Shamoon, Moran says. McAfee last year warned that APT33—or a group pretending to be APT33, it hedged—was deploying a new version of Shamoon in a series of data-destroying attacks. Threat intelligence firm FireEye has warned since 2017 that APT33 had links to another piece of destructive code known as Shapeshifter.

Moran declined to name any of the specific industrial control system, or ICS, companies or products targeted by the APT33 hackers. But he warns that the group's targeting of those control systems suggests that Iran may be seeking to move beyond merely wiping computers in its cyberattacks. It may hope to influence physical infrastructure. Those attacks are rare in the history of state-sponsored hacking, but disturbing in their effects; in 2009 and 2010 the US and Israel jointly launched a piece of code known as Stuxnet, for instance, that destroyed Iranian nuclear enrichment centrifuges. In December 2016, Russia used a piece of malware known as Industroyer or Crash Override to briefly cause a blackout in the Ukrainian capital of Kyiv. And hackers of unknown nationality deployed a piece of malware known as Triton or Trisis in a Saudi Arabian oil refinery in 2017 designed to disable safety systems. Some of those attacks—particularly Triton—had the potential to inflict physical mayhem that threatened the safety of personnel inside the targeted facilities.

Iran has never been publicly tied to one of those ICS attacks. But the new targeting Microsoft has seen suggests it may be working to develop those capabilities. "Given their previous modus operandi of destructive attacks, it stands to reason that they’re going after ICS," says Moran.