APT35 (aka Newscaster Team) is an Iranian government-sponsored cyber espionage team that conducts long-term, resource-intensive operations to collect strategic intelligence. Mandiant Threat Intelligence has observed APT35 operations dating back to 2014. APT35 has historically relied on marginally sophisticated tools, including publicly available webshells and penetration testing tools, suggesting a relatively nascent development capability. However, the breadth and scope of APT35’s operations, particularly as it relates to its complex social engineering efforts, likely indicates that the group is well resourced in other areas.
Name: Magic Hound (Palo Alto), APT 35 (Mandiant), Cobalt Illusion (SecureWorks), Charming Kitten (CrowdStrike), TEMP.Beanie (FireEye), Timberworm (Symantec), Tarh Andishan (Cylance), TA453 (Proofpoint), Phosphorus (Microsoft), Newscaster (iSight).
Location: Iran
Suspected attribution: State-sponsored
Date of initial activity: 2014
Targets: U.S. Western Europe, and Middle Eastern military, diplomatic, and government personnel, organizations in the media, energy, and defense Industrial base, and engineering, business services, and telecommunications sectors.
Motivation: Espionage, Surveillance
Associated tools: Browser Exploitation Framework (BeEF), MagicHound Toolset, PupyRAT
Attack vectors: APT35 typically relies on spear phishing to initially compromise an organization, often using lures related to health care, job postings, resumes, or password policies. However, we have also observed the group using compromised accounts with credentials harvested from prior operations, strategic web compromises, and password spray attacks against externally facing web applications as additional techniques to gain initial access.
How they work: The threat actors behind COBALT ILLUSION may operate as a set of loosely coupled contractors, directed by a sponsor organization, resulting in personal preference-based variations in the TTPs used across COBALT ILLUSION operations. Relational patterns between these operations may only become visible over an extended period of time. Aspects of COBALT ILLUSION operations had previously been reported as associated with COBALT GYPSY, these have since been reassessed. Individuals within the COBALT ILLUSION group are suspected of conducting their own “side-operations” from time to time, further confusing the intelligence picture.
Since at least 2011, COBALT ILLUSION has targeted a broad range of individuals and verticals with fake social media personas, phishing and strategic web compromise operations. CTU researchers assess with moderate confidence that COBALT ILLUSION operates on behalf of Iran with the intent to conduct espionage and the surveillance of individuals of interest to their sponsor. The group conducts extensive phishing campaigns, spoofing common webmail services such as Gmail and Yahoo or approaching targets via a network of fake social media personas. Phishing landing pages are often pre-populated with the target’s name and image to provide credibility to the phishing page. Some campaigns use URL shortening services to hide the phishing domain in the initial phishing message.
COBALT ILLUSION also conducts news media and recruitment themed campaigns, deploying open source security tools, including The Browser Exploitation Framework (BeEF) and PupyRAT, to fake websites they have created or legitimate websites they have compromised. Operational mistakes have allowed researchers visibility into phishing kits and targeting databases used by COBALT ILLUSION, providing valuable insights into the group’s operations. Several online and real world identities have been linked to COBALT ILLUSION activity including Behzad Mesri, indicted by the FBI in 2019 on multiple charges and described as operating at the behest of the Islamic Revolutionary Guard Corps (IRGC).
