APT39 is one of several names for cyberespionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. APT39 has targeted organizations in the Middle East, with a particular focus on the telecommunications and travel sectors. Their motives may include collecting intelligence, monitoring dissidents, or pursuing strategic goals aligned with Iran’s interests.
Name: Chafer (Symantec), APT 39 (Mandiant), Remix Kitten (CrowdStrike), Cobalt Hickman (SecureWorks), TA454 (Proofpoint), ITG07 (IBM)
Location: Iran
Suspected attribution: State-sponsored, Rana Intelligence Computing Company
Date of initial activity: 2014
Targets: Travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS
Motivation: Espionage
Associated tools: REMIX KITTEN, ITG07, Chafer
Attack vectors: In 2018, CTU researchers observed COBALT HICKMAN creating spoofed airline, telecommunication, and travel system provider domains to lure targets. The threat actors use phishing techniques to compromise credentials or to install the modular Remexi malware.
How they work: COBALT HICKMAN has been active since at least 2014 and possibly as early as 2011. In the past, the group primarily targeted Iranian domestic citizens, the wider Iranian diaspora, telecommunications and travel verticals. The threat actors use phishing techniques to compromise credentials or to install the modular Remexi malware.
CTU researchers discovered new infrastructure in early 2019, suggesting that COBALT HICKMAN remains active. The threat group continues its focus on the telecommunications and travel verticals, which CTU researchers assess with moderate confidence is for the purposes of surveillance operations on individuals and organizations of interest to the Iranian government.
