Security experts are pointing the finger at Iran for cyber attacks against the U.S., Saudi Arabia and South Korea.

Cybersecurity firm FireEye has identified a new group of hackers, known as APT33, that it says has been working on behalf of the Iranian government since 2013. The group has “potential destructive capabilities,” FireEye warned.

“The campaigns that were laid out were not just aligned with the Iranian government but with the Iranian military,” said Stuart Davis, a director at FireEye subsidiary Mandiant.

Between the middle of 2016 and early 2017, APT33 targeted a U.S. organization in the aerospace sector and a Saudi Arabian company with aviation links, as well as a South Korean oil and chemicals firm, FireEye said.

APT33 targets represent “growth areas for the Iranian government,” Davis said on a conference call with reporters on Thursday.

Iran is emerging from years of isolation under sanctions and is now looking to expand in aviation and energy.

“As we continue to monitor the threat activity related to this, we will have key questions and observations on how that could expand out to other petrochemical entities potentially within Europe and Asia,” Davis said.

Related: Hackers catfish tech execs on LinkedIn

Iranian officials did not respond to requests for comment.

Fireeye said APT33 typically sends employees phishing emails that often appear to be credible, asking them to click links to job vacancies in their field.

Nick Carr, a senior Mandiant investigator, said the group used servers based in Iran and its malware contained Farsi language.

He warned that even if users did not click on the links, APT33 had other tools they could use to break into systems.

“They may bang on the door if you don’t open,” he said.

In January, Saudi Arabia warned of a crippling cyber attack, Shamoon 2, after several organizations were targeted by smaller hacks.

Shamoon 2 is a reworked and updated version of the malware used in the huge cyberattack in 2012 on Saudi Aramco, the world’s biggest oil company.