ITG18

ITG18, also known as Charming Kitten, Phosphorous, and TA453, is a threat actor that has been active since at least 2013. The group is known for its meticulous techniques in cyber espionage, such as validating stolen credentials by copying and pasting victim usernames and passwords into various websites. IBM X-Force's longitudinal examination of ITG18 indicates that the group uses its infrastructure for multiple strategic objectives serving both short and long-term interests. Their operations have consistently targeted individuals with an Iranian connection, but they have also extended their scope to other entities, including those associated with the U.S. Office of Foreign Assets Control, which implements economic sanctions. In 2020 and 2021, details of ITG18's operations were published, revealing their exploitation of identity against targeted individuals. In one instance, an ITG18 operator was observed exfiltrating data from compromised accounts of a member of the U.S. Navy and a personnel officer with nearly two decades of service in the Hellenic Navy. This suggested that ITG18 might be searching for specific information within military members' personal files to extend their cyber espionage operation further into the U.S. and Greek Navy. More recently, in April 2020, ITG18 targeted a pharmaceutical executive, aligning with Iran’s COVID-19 outbreak spike at the end of March 2020. This shows that ITG18 performs operations that serve multiple, distinct long-term objectives aligned to Iranian strategic interests. Despite their determination and significant investment in operations, ITG18 has made mistakes that allowed IBM X-Force IRIS to gain valuable insights into how this group operates. Further analysis of ITG18's tactics, techniques, and procedures is available on IBM's Enterprise Intelligence Management platform via TruSTAR.