ITG18

Threat Actor updated 6 months ago (2024-05-14T21:17:33.531Z)
Download STIX
Preview STIX
ITG18, also known as Charming Kitten, Phosphorous, and TA453, is a threat actor that has been active since at least 2013. The group is known for its meticulous techniques in cyber espionage, such as validating stolen credentials by copying and pasting victim usernames and passwords into various websites. IBM X-Force's longitudinal examination of ITG18 indicates that the group uses its infrastructure for multiple strategic objectives serving both short and long-term interests. Their operations have consistently targeted individuals with an Iranian connection, but they have also extended their scope to other entities, including those associated with the U.S. Office of Foreign Assets Control, which implements economic sanctions. In 2020 and 2021, details of ITG18's operations were published, revealing their exploitation of identity against targeted individuals. In one instance, an ITG18 operator was observed exfiltrating data from compromised accounts of a member of the U.S. Navy and a personnel officer with nearly two decades of service in the Hellenic Navy. This suggested that ITG18 might be searching for specific information within military members' personal files to extend their cyber espionage operation further into the U.S. and Greek Navy. More recently, in April 2020, ITG18 targeted a pharmaceutical executive, aligning with Iran’s COVID-19 outbreak spike at the end of March 2020. This shows that ITG18 performs operations that serve multiple, distinct long-term objectives aligned to Iranian strategic interests. Despite their determination and significant investment in operations, ITG18 has made mistakes that allowed IBM X-Force IRIS to gain valuable insights into how this group operates. Further analysis of ITG18's tactics, techniques, and procedures is available on IBM's Enterprise Intelligence Management platform via TruSTAR.
Description last updated: 2024-05-14T21:16:37.415Z
What's your take? (Question 1 of 0)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Charming Kitten is a possible alias for ITG18. Charming Kitten, also known as APT35 or APT42 among other names, is a threat actor believed to be linked to the Iranian government. The group has been implicated in a series of cyber-attacks against various entities in Brazil, Israel, and the U.A.E., deploying a new backdoor that initiates an infect
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the ITG18 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
SecurityIntelligence.com
6 months ago
MITRE
2 years ago