Table of content
  1. Who is APT33 (Elfin Team)?
  2. What Happened?
  3. How Did The Attack Work?
  4. Why It Matters
  5. How to Defend Against APT33 (Elfin Team) - Style Attacks
  6. Where Obsidian Security Can Help
  7. Conclusion

APT33 (Elfin Team) Targets Aerospace & Energy Firms via Spear‑Phishing‑Driven Espionage Campaign

APT33 (Elfin Team), an advanced persistent threat group, has been linked to a recent cyberattack on the aerospace and energy sectors. The incident leveraged spear phishing and malware deployment to gain access, steal data, and evade detection. In this article, we examine who was responsible, how the attack unfolded, when it occurred, and what security leaders can do to avoid similar risks. We will also explore where Obsidian Security’s capabilities align with prevention and response.
Sophie Zhu
September 12, 2024
Table of content
  1. Who is APT33 (Elfin Team)?
  2. What Happened?
  3. How Did The Attack Work?
  4. Why It Matters
  5. How to Defend Against APT33 (Elfin Team) - Style Attacks
  6. Where Obsidian Security Can Help
  7. Conclusion

Who is APT33 (Elfin Team)?

APT33, also known as Elfin Team, is an Iran-linked advanced persistent threat group that has been active since at least 2013. It primarily targets organizations in the aerospace, defense, petrochemical, and energy sectors across the United States, Middle East, and parts of Europe. The group is well known for using spear-phishing emails with malicious attachments and links, often delivering custom malware families like Shamoon, DropShot, TurnedUp, and ALMA Communicator. Researchers consider APT33 to be among the more technically capable Iranian APTs, capable of long-term strategic cyber-espionage and potentially destructive operations depending on national directives.

What Happened?

Since 2016, the Iranian state-linked threat group APT33 carried out a focused cyberattack campaign targeting aerospace and energy companies in the United States, Saudi Arabia, and South Korea. Using deceptive spear-phishing emails impersonating well-known aviation and energy firms, the group attempted to steal sensitive commercial and military information relevant to Iran's strategic interests.

How Did The Attack Work?

APT33 sent emails mimicking legitimate job recruitment offers from industry giants (such as Boeing or Northrop Grumman). These emails lured victims into clicking links or openeing attachments---specifically .hta files that, when executed, installed a custom APT33 backdoor on the victim's machine. The malware toolkit included droppers like DROPSHOT and full-featured backdoors (e.g., TURNEDUP), enabling the threat group to maintain persistent access, exfiltrate sensitive data, and potentially facilitate destructive attack

Why It Matters

This campaign demonstrates the real-world impact of state-sponsored cyberattacks on globally critical industries. Aerospace and energy sector breaches can reveal proprietary technology, operational blueprints, or even military capabilities. This incident also underscores the growing sophistication of phishing tactics and the persistent threat that government-backed, well-resourced groups like APT33 pose to high-value organizations worldwide

How to Defend Against APT33 (Elfin Team) - Style Attacks

To defend against threats similar to those used by APT33 (Elfin Team), security leaders should adopt the following multi-layered security practices:

  • Security Awareness & Phishing Simulations
    Train users to detect and report phishing attempts using realistic simulations. Reinforce awareness of social engineering tactics.
  • MFA Hardening (e.g., Phishing-Resistant Auth)
    Enforce phishing-resistant MFA (e.g., FIDO2, certificate-based auth). Detect and respond to MFA fatigue attacks or session hijacking attempts.
  • Endpoint Detection & Response (EDR)
    Deploy modern EDR solutions across workstations and cloud endpoints. Detect credential theft, persistence mechanisms, and lateral movement.
  • SaaS Misconfiguration Monitoring
    Continuously monitor for configuration drift and excessive privileges in SaaS apps (e.g., M365, Salesforce, Okta). Lock down unused integrations and enforce least privilege.
  • Email Gateway & Attachment Filtering
    Filter malicious attachments and links at the email gateway. Combine with in-app behavioral detection to spot post-delivery threats.
  • Threat Hunting or Behavioral Detection
    Proactively hunt for identity anomalies and unusual access patterns (e.g., impossible travel, session token reuse, OAuth abuse) across your SaaS estate.

Obsidian Security’s platform can help detect these signals, automate posture hardening, and accelerate incident response across identity and SaaS environments.

Where Obsidian Security Can Help

Obsidian's SaaS Identity Threat Detection & Response (ITDR) helps detect post-phishing account misuse, token reuse, and impossible travel anomalies across SaaS environments.

Conclusion

APT33 (Elfin Team)’s recent campaign underscores the need for layered security and SaaS-native threat detection. Organizations should combine user education, identity threat protection, and SaaS configuration hardening to minimize risk. Obsidian’s continuous monitoring and context-aware alerts help defenders identify and respond to threats before damage is done.