A state-sponsored hacking group from Iran has built and has been operating its own private VPN which it uses for hacking, reconnaissance and even everyday web browsing according to new research from Trend Micro.
Security researchers often use the code-name APT33 to refer to the group and it is Iran’s most sophisticated hacking unit. APT33 was also responsible for the Shamoon malware back in 2012 which was used to wipe the hard drives of more than 35,000 workstations at Saudi Arabia’s Saudi Aramco.
The group recently resurfaced and launched a series of new attacks targeting the oil and aviation industries. So far in 2019, APT33 has infected an American company that provides national security services, a university and a college in the US, a victim associated with the US military and several other victims in the Middle East and Asia.
However, while Trend Micro was investigating the group’s latest attacks, it was able to gain a great deal of insight into how APT33 manages its hacking infrastructure.
Trend Micro’s researchers discovered that APT33 used four layers between its operators and their targets to help the group avoid detection.
First they used a custom-built network of VPN nodes to hide the IP addresses and the locations of their operators, they then employ a bot controller layer made up of intermediary servers, next a C&C backend layer is made up of servers which manage its malware botnets and finally a layer of proxy servers is used by the C&C servers to hide from infected hosts.
However, the biggest revelation made by Trend Micro is the fact that APT33 had set up and was operating its own private VPN network as opposed to using commercial VPN servers to hide their location. This actually made the group easier to track as the researchers only had to look out for a few IP addresses whereas with a commercial VPN they would have been far less detectable.
Trend Micro explained how APT33’s private VPN made the group easier for it to track in a blog post, saying:
“Setting up a private VPN can be easily done by renting a couple of servers from datacenters around the world and using open source software like OpenVPN. Though the connections from private VPN networks still come from seemingly unrelated IP addresses around the world, this kind of traffic is actually easier to track. Once we know that an exit node is mainly being used by a particular actor, we can have a high degree of confidence about the attribution of the connections that are made from the IP addresses of the exit node.”
This isn’t the first time we’ve seen a group of hackers create and operate their own VPN as earlier this year, hackers who used many of the tools and techniques of the Chinese-affiliated threat actor group APT10, built a VPN for greater convenience within the networks of mobile carriers they had previously infiltrated.