| Names | APT42 (Mandiant), TA453 (Proofpoint), Yellow Garuda (PwC), ITG18 (IBM X-Force), Mint Sandstorm (Microsoft) |
| Additional Names | Charming Kitten (ClearSky and CERTFA) |
| Location | Iran |
| Date of initial activity | 2015 |
| Suspected attribution | Islamic Revolutionary Guard Corps (IRGC)’s Intelligence Organization (IRGC-IO) |
| Motivation | Information theft, Espionage, Surveillance |
| Associated tools | VINETHORN, PINEFLOWER, TABBYCAT, VBREVSHELL, TAMECAT, POWERPOST, BROKEYOLK, CHAIRSMACK, GHAMBAR, MAGICDROP, DOSTEALER, SILENTUPLOADER |
Overview
APT42 is an Iranian state-sponsored cyber espionage group tasked with conducting information collection and surveillance operations against individuals and organizations of strategic interest to the Iranian government.
The group’s operations, which are designed to build trust and rapport with their victims, have included accessing the personal and corporate email accounts of government officials, former Iranian policymakers or political figures, members of the Iranian diaspora and opposition groups, journalists, and academics who are involved in research on Iran.
Common targets
Civil society and non-profits, Education, Governments, Healthcare, Legal and professional services, Manufacturing, Media and entertainment, Pharmaceutical.
Attack Vectors
APT42 uses highly targeted spear-phishing and social engineering techniques designed to build trust and rapport with their victims in order to access their personal or corporate email accounts or to install Android malware on their mobile devices. In addition, APT42 infrequently uses Windows malware to complement their credential harvesting and surveillance efforts.
How they work
APT42 operations broadly fall into three categories:
- Credential harvesting: APT42 frequently targets corporate and personal email accounts through highly targeted spear-phishing campaigns with enhanced emphasis on building trust and rapport with the target before attempting to steal their credentials. Mandiant also has indications that the group leverages credential harvesting to collect Multi-Factor Authentication (MFA) codes to bypass authentication methods and has used compromised credentials to pursue access to the networks, devices, and accounts of employers, colleagues, and relatives of the initial victim.
- Surveillance operations: As of at least late 2015, a subset of APT42’s infrastructure served as command-and-control (C2) servers for Android mobile malware designed to track locations, monitor communications, and generally surveil the activities of individuals of interest to the Iranian government, including activists and dissidents inside Iran.
- Malware deployment: While APT42 primarily prefers credential harvesting over activity on disk, several custom backdoors and lightweight tools complement its arsenal. The group likely incorporates these tools into their operations when the objectives extend beyond credential harvesting.
Mandiant has observed over 30 confirmed targeted APT42 operations spanning these categories since early 2015. The total number of APT42 intrusion operations is almost certainly much higher based on the group’s high operational tempo, visibility gaps caused in part by the group’s targeting of personal email accounts and domestically focused efforts, and extensive open-source industry reporting on threat clusters likely associated with APT42.
