The Elfin espionage group, also called APT33, has remained highly active over the past three years, attacking at least 50 organizations in Saudi Arabia, the United States, and a range of other countries, reports the computer security firm Symantec.
The group, which first became active in late 2015 or early 2016, specializes in scanning for vulnerable websites to identify potential targets, either for attack or for the creation of command and control infrastructure. It has compromised a wide range of targets in Saudi Arabia, the United States and elsewhere, including government agencies along with organizations in the research, chemical, engineering, manufacturing, consulting, finance, telecoms, and several other sectors.
Elfin continues to be focused heavily on Saudi Arabia, which accounted for 42 percent of attacks observed by Symantec since the beginning of 2016. However, the United States has also been a country of significant interest to the group, with 18 organizations attacked over the past three years, including a number of Fortune 500 companies.
Elfin’s U.S. targets have included organizations in the engineering, chemical, research, energy consultancy, finance, IT, and healthcare sectors.
Some of these U.S. organizations may have been targeted by Elfin for the purpose of mounting supply chain attacks. In one instance, a large U.S. company was attacked in the same month a Middle Eastern company it co-owns was also compromised.
Elfin has deployed a wide range of tools in its attacks including custom malware, commodity malware, and open-source hacking tools.