Wiz
All articlesThreat Intel

What is APT33?

Wiz Experts Team
Cloud Threat Landscape: Threat ActorsWatch 5-min demo
Key Takeaways about APT33:

  • Iranian espionage group targeting critical infrastructure: APT33 is believe to be a state-sponsored threat actor active since 2013, conducting long-term intelligence operations against aerospace, energy, and defense organizations to steal intellectual property that advances Iran's military and economic capabilities.

  • Dual espionage and destructive capability: While primarily focused on data theft, APT33's toolset has direct links to destructive wiper malware like StoneDrill, suggesting compromised organizations face risks beyond espionage, including potential data destruction during geopolitical conflicts.

  • Tracked under multiple vendor names: Security teams may encounter this threat cluster as Elfin Team, Refined Kitten, Holmium, or Peach Sandstorm, different labels used by vendors like CrowdStrike, Microsoft, and Symantec for the same Iranian actor based on overlapping infrastructure, malware, and targeting patterns.

Who is APT33?

APT33 is an Iranian state-sponsored advanced persistent threat (APT) group that has been conducting cyber espionage operations since at least 2013. The group is distinct from other Iranian actors due to its specific focus on aerospace and energy sectors, aiming to steal intellectual property that directly benefits Iran's domestic industries. Security researchers assess that APT33 likely operates in support of Iran's Islamic Revolutionary Guard Corps (IRGC), based on targeting patterns that align with national military priorities. This assessment reflects moderate-to-high confidence attribution derived from operational timing, victim selection, and tooling overlap with other Iranian clusters.

Click to view the Cloud Threat Landscape

Attribution and aliases

Security vendors often track the same threat actors independently, leading to multiple names for the same group. For APT33, the primary aliases include Elfin Team, Refined Kitten, Holmium, and Peach Sandstorm. CrowdStrike, for example, uses the "Kitten" naming convention for Iranian actors.

Microsoft tracks this cluster as Peach Sandstorm (formerly Holmium), while Symantec uses the name Elfin. Despite the different labels, these names are commonly used by vendors to refer to the same or heavily overlapping threat cluster. Minor variations exist because each vendor applies its own clustering methodology based on infrastructure, tooling, and targeting overlap. Analysts correlate this activity by observing overlapping command-and-control infrastructure, shared malware tooling (such as TURNEDUP and DROPSHOT), and similar targeting patterns across campaigns documented by Mandiant, Microsoft, and CrowdStrike.

APT33 is distinct from other Iranian threat clusters that security teams may encounter. APT34 (OilRig/Helix Kitten) focuses on Middle Eastern government and financial targets using different tooling. APT35 (Charming Kitten/Phosphorus) primarily conducts credential theft against journalists, activists, and policy researchers. While these groups may share infrastructure or coordinate operations, their targeting, tooling, and TTPs differ significantly. Defenders should not assume that APT33 indicators apply to other Iranian clusters.

Strategic objectives

APT33's primary mission is espionage that advances Iranian national interests, specifically in the realms of economic growth and military self-sufficiency. The group targets organizations that hold critical data related to aviation, petrochemicals, and defense technology. This suggests a mandate to acquire intellectual property that can be reverse-engineered or used to modernize Iran's infrastructure.

The connection to the IRGC shapes these priorities, moving the group beyond simple financial crime or random disruption. Their operations are calculated and persistent, often lasting for months within a victim's network to ensure complete data exfiltration. This strategic alignment makes them a significant risk to national security interests in the Middle East, the United States, and Asia.

Who does APT33 target?

APT33's targeting is highly specific and reflects Iran's strategic priorities and regional rivalries. The group primarily focuses on organizations in the aerospace, defense, and energy sectors. This includes both military and commercial aviation companies, as well as petrochemical firms that are vital to the global energy market.

Geographically, their campaigns heavily target the United States, Saudi Arabia, and South Korea. These targets often align with geopolitical tensions, increasing in intensity during periods of strained diplomatic relations. Understanding these patterns helps organizations determine if they fall within the group's operational scope and elevated risk profile.

How does APT33 operate?

APT33 has been observed employing a consistent operational playbook that has evolved from simple phishing to sophisticated cloud-based attacks. They are known for blending custom malware with "living off the land" techniques, using tools already present on a system to hide their activity. Understanding these tactics, techniques, and procedures (TTPs) is essential for building effective detection logic.

Initial access techniques

Historically, spear phishing was the group's primary method for gaining entry into a network. They would send emails with malicious HTML application (.hta) files or links to credential harvesting pages disguised as legitimate business documents. These emails often targeted specific employees in HR or recruitment roles to increase the likelihood of engagement.

They have been reported exploiting known vulnerabilities across two vectors: client-side software (e.g., WinRAR CVE-2018-20250, Outlook CVE-2017-11774) that requires user interaction, and internet-facing server platforms (e.g., Atlassian Confluence) that attackers can exploit directly without user involvement. They also employ domain masquerading, registering domains that look nearly identical to legitimate vendor sites to trick users and bypass reputation filters.

Persistence and privilege escalation

Once inside a network, APT33 establishes persistence to ensure they can return even if a computer is rebooted. They commonly use registry run keys and scheduled tasks to execute their payloads automatically. To move laterally and escalate privileges, they utilize credential dumping tools like Mimikatz to harvest passwords from memory.

The group heavily relies on legitimate administrative tools to blend in with normal network traffic. This behavior maps to the MITRE ATT&CK technique 'Command and Scripting Interpreter' (T1059), which includes sub-techniques for PowerShell (T1059.001) and Windows Management Instrumentation (T1047). Attackers use these native tools to execute commands while blending into normal administrative activity. By using native system tools rather than external malware for these steps, they often evade antivirus solutions that look for known malicious files.

Notable APT33 campaigns

APT33 has maintained a steady operational tempo for over a decade. Their campaigns have evolved from simple phishing to complex, multi-stage intrusions targeting cloud infrastructure.

  • Aviation sector targeting (2016-2017): The group launched a massive spear phishing campaign targeting aerospace and aviation companies in the United States and Saudi Arabia. The goal was to steal technical specifications and proprietary data to support Iran's domestic aviation capabilities.

  • Energy sector operations (2017-2018): APT33 expanded its scope to target petrochemical companies in Saudi Arabia and South Korea. These operations coincided with geopolitical tensions and aimed to gather intelligence on critical energy infrastructure.

  • Peach Sandstorm password spraying (2023): In a shift toward cloud vectors, the group (tracked as Peach Sandstorm by Microsoft) conducted large-scale password spraying attacks. They targeted thousands of organizations in the defense, satellite, and pharmaceutical sectors, looking for weak credentials to access cloud tenants.

How Wiz helps detect and defend against threat actors

Wiz provides a unified platform that helps organizations defend against sophisticated threat actors by correlating risks across the cloud stack. Wiz Defend helps detect suspicious runtime behaviors commonly used by advanced persistent threats (such as malicious PowerShell execution, credential dumping, and lateral movement attempts) using cloud context to correlate identity events with workload exposure and reduce alert noise. This allows security teams to spot active attacks that bypass traditional perimeter defenses.

The Wiz Threat Center tracks vulnerabilities known to be weaponized by threat actors. This enables teams to prioritize patching based on actual threat intelligence rather than generic severity scores. When a threat is detected, the Wiz Investigation Graph visualizes the full attack scope, showing exactly which identities, resources, and data are involved. This context allows incident responders to assess the blast radius immediately.

Additionally, Wiz can help you understand detection and visibility coverage in terms of MITRE ATT&CK techniques, highlighting common blind spots relevant to cloud intrusions, such as gaps in identity event logging or runtime monitoring for container workloads. By unifying visibility across misconfigurations, vulnerabilities, identity risks, and runtime threats, Wiz enables a defense-in-depth strategy that is critical for stopping state-sponsored espionage and other advanced threats.

To see how contextual cloud risk analysis can accelerate prevention and response against sophisticated threat actors, get a demo at https://www.wiz.io/demo.

Detect active cloud threats

Learn how Wiz Defend detects active threats using runtime signals and cloud context—so you can respond faster and with precision.

For information about how Wiz handles your personal data, please see our Privacy Policy.