Iranian hackers built their own VPN network – Here’s why they shouldn’t have

A hacker at work wearing a hoodie

Unless you work in cyber-security circles, the chances are that you haven’t heard of the hacking collective known as APT33.

They are thought to be the most sophisticated of Iran’s state-sponsored hacking groups and have been responsible for a number of high-profile cyber-attacks, including the 2012 assault on Saudi Arabian oil company Saudi Aramco which saw 35,000 devices destroyed by a disk-wiping malware programme known as Shamoon.

APT33 have resurfaced of late with a string of attacks on oil and aviation targets, some of which deployed an updated version of Shamoon.

Confirmed victims this year, according to the online security firm Trend Micro include a US company operating in the security sector, individuals linked to the US military and US universities, and selected targets in the Middle East and Asia.

Trend Micro has been looking at these attacks in some detail and uncovered an interesting detail in how APT33 has been operating. They have built their own VPN network.

How APT33 operates

According to Trend Micro, all of APT33’s operations are layered and isolated to ensure that their identities cannot be revealed.

They claim that everything APT33 does is filtered through a VPN layer, a Bot Controller layer (another layer of servers), a C&C Backend Layer (where they manage their malware botnets), and a Proxy server layer (unencrypted proxy servers).

This is not uncommon but the decision to set up their own VPN network rather than use a commercially available one is more unusual.

It is actually fairly easy to set up your own VPN. You just have to rent some servers from different data centres and set up a connection using open-source software like OpenVPN.

This might seem like a sensible step to take for a group that clearly prized their anonymity far more than most internet users. But actually, it was a glaring error and a mistake that hammers home the privacy benefits that come with using a premium commercial VPN.

Should have used a commercial VPN

The decision to set up their own VPN meant that all researchers had to do was identify the IP Addresses of that VPN and they could track the APT33 hackers.

As Trend Micro explained, “APT33 likely uses its VPN exit nodes exclusively. We have been tracking some of the group’s private VPN exit nodes for more than a year, and we have listed known associated IP addresses.”

These same IP Addresses were also found to have been used “for reconnaissance of networks that are relevant to the supply chain of the oil industry” and on military hospitals in the Middle East. Surveillance of a US-based oil company was also spotted.

Because a private VPN network was being used, Trend Micro found it very easy to identify that the same IP Addresses were being used for related cyber-attacks and surveillance operations. They cannot identify the individuals behind these attacks but they can spot the patterns and identify potential future targets.

If the APT33 hackers had used a regular VPN, it would have been almost impossible for Trend Micro to spot these patterns. Their activity would have been mixed up with the thousands of legitimate VPN customers who were using the same IP Address. Separating this activity out is almost impossible.

Hackers show the benefits of a VPN

This example illustrates all too clearly the advantages of using a VPN to maintain your online privacy. By sharing IP Addresses, your online activity is indistinguishable from that of others connected to the same server.

This means even if it can be proved that you were using that IP Address (which is impossible with most providers anyway), it can never be proved that you visited any of the sites that recorded visits from the same IP Address.

It is something of a schoolboy error of the APT33 hackers not to use a regular VPN. There is no doubt that many other hackers have not made the same mistake.

The overwhelming majority of VPN users are just regular internet users who value their online security and privacy. They are not hackers trying to cover their nefarious activity. But the fact that these skilled hackers still use a VPN, and experts like Trend Micro are surprised when they don’t says a lot about how effective VPNs are.

Cyber-security experts agree that using a VPN is essential is you are serious about keeping your internet data secure and private. The case of the APT33 hacking group only serves to reinforce this view.

Trend Micro did also report that APT33 was accessing penetration testing companies, webmail, websites on vulnerabilities, and cryptocurrency hacking sites.

If you are worried that your company could be targeted by APT33, you should probably take a look at the full Trend Micro report which lists each of the IP Addresses they have been using.

Author: David Spencer

Cyber-security & Technology Reporter, David, monitors everything going on in the privacy world. Fighting for a less restricted internet as a member of the VPNCompare team for over 7 years.

Away from writing, he enjoys reading and politics. He is currently learning Mandarin too... slowly.

Leave a Reply

Your email address will not be published. Required fields are marked *