ITG18

Threat Actor Profile Updated 3 days ago
Download STIX
Preview STIX
ITG18, also known as Charming Kitten, Phosphorous, and TA453, is a threat actor that has been active since at least 2013. The group is known for its meticulous techniques in cyber espionage, such as validating stolen credentials by copying and pasting victim usernames and passwords into various websites. IBM X-Force's longitudinal examination of ITG18 indicates that the group uses its infrastructure for multiple strategic objectives serving both short and long-term interests. Their operations have consistently targeted individuals with an Iranian connection, but they have also extended their scope to other entities, including those associated with the U.S. Office of Foreign Assets Control, which implements economic sanctions. In 2020 and 2021, details of ITG18's operations were published, revealing their exploitation of identity against targeted individuals. In one instance, an ITG18 operator was observed exfiltrating data from compromised accounts of a member of the U.S. Navy and a personnel officer with nearly two decades of service in the Hellenic Navy. This suggested that ITG18 might be searching for specific information within military members' personal files to extend their cyber espionage operation further into the U.S. and Greek Navy. More recently, in April 2020, ITG18 targeted a pharmaceutical executive, aligning with Iran’s COVID-19 outbreak spike at the end of March 2020. This shows that ITG18 performs operations that serve multiple, distinct long-term objectives aligned to Iranian strategic interests. Despite their determination and significant investment in operations, ITG18 has made mistakes that allowed IBM X-Force IRIS to gain valuable insights into how this group operates. Further analysis of ITG18's tactics, techniques, and procedures is available on IBM's Enterprise Intelligence Management platform via TruSTAR.
What's your take? (Question 1 of 0)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Charming Kitten
2
Charming Kitten is a threat actor group, believed to be of Iranian origin, known for its advanced and sophisticated cyberattacks. The group has been active in launching attacks against various entities in Brazil, Israel, and the United Arab Emirates using a new backdoor method, as reported by Securi
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the ITG18 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
New Research Exposes Iranian Threat Group Operations
SecurityIntelligence.com
3 days ago
Threat intelligence to protect vulnerable communities