Names Chafer (Symantec)
APT 39 (Mandiant)
Remix Kitten (CrowdStrike)
Cobalt Hickman (SecureWorks)
TA454 (Proofpoint)
ITG07 (IBM)
Radio Serpens (Palo Alto)
Country Iran Iran
Sponsor State-sponsored, Rana Intelligence Computing Company
Motivation Information theft and espionage
First seen 2014
Description (FireEye) APT39 was created to bring together previous activities and methods used by this actor, and its activities largely align with a group publicly referred to as “Chafer.” However, there are differences in what has been publicly reported due to the variances in how organizations track activity. APT39 primarily leverages the SEAWEED and CACHEMONEY backdoors along with a specific variant of the POWBAT backdoor. While APT39’s targeting scope is global, its activities are concentrated in the Middle East. APT39 has prioritized the telecommunications sector, with additional targeting of the travel industry and IT firms that support it and the high-tech industry.
APT39’s focus on the telecommunications and travel industries suggests intent to perform monitoring, tracking, or surveillance operations against specific individuals, collect proprietary or customer data for commercial or operational purposes that serve strategic requirements related to national priorities, or create additional accesses and vectors to facilitate future campaigns. Government entities targeting suggests a potential secondary intent to collect geopolitical data that may benefit nation-state decision making. Targeting data supports the belief that APT39’s key mission is to track or monitor targets of interest, collect personal information, including travel itineraries, and gather customer data from telecommunications firms.
Observed Sectors: Aviation, Engineering, Government, High-Tech, IT, Shipping and Logistics, Telecommunications, Transportation.
Countries: Israel, Jordan, Kuwait, Saudi Arabia, Spain, Turkey, UAE, USA and Middle East.
Tools used Antak, ASPXSpy, EternalBlue, HTTPTunnel, MechaFlounder, <SCRIPT$3>
Feb 2018 Turkish Government Targeting
This new secondary payload is Python-based and compiled into executable form using the PyInstaller utility. This is the first instance where Unit 42 has identified a Python-based payload used by these operators. We’ve also identified code overlap with OilRig’s Clayside VBScript but at this time track Chafer and OilRig as separate threat groups. We have named this payload MechaFlounder for tracking purposes.
Autumn 2018 Spying on Iran-based foreign diplomatic entities
Throughout the autumn of 2018 we analyzed a long-standing (and still active at that time) cyberespionage campaign that was primarily targeting foreign diplomatic entities based in Iran. The attackers were using an improved version of Remexi in what the victimology suggests might be a domestic cyberespionage operation.
2018 Bitdefender researchers have found attacks conducted by this actor in the Middle East region, dating back to 2018. The campaigns were based on several tools, including “living off the land” tools, which makes attribution difficult, as well as different hacking tools and a custom built backdoor.
Counter operations Sep 2020 Treasury Sanctions Cyber Actors Backed by Iranian Intelligence Ministry
Information
MITRE ATT&CK
Playbook
Last change to this card: 10 March 2024