Discovered in 2014 and originating from Iran, APT39 has carved out a unique place for itself on the global cybersecurity scene. Known by various names such as Chafer, REMIX KITTEN, and COBALT HICKMAN, this threat actor is particularly focused on specific targets in the Middle East and Western countries. As ThreatMon, we will examine APT39’s operational structure, the tools it uses, and its targets in detail.
Target and Sectoral Focus
The countries targeted by APT39 include Israel, Jordan, Kuwait, Saudi Arabia, Spain, Turkey, the UAE, and the United States. These geographical preferences align with Iran’s regional and global political interests. The threat actor has specifically targeted and continues to target critical sectors such as aviation, engineering, government, high-tech, IT, shipping and logistics, telecommunications, and transportation. This sectoral focus also reveals how APT39’s information-gathering and espionage activities serve Iran’s strategic interests.
Tools and TTPs used
APT39 uses malware and various technical tools for espionage and information theft. Some notable tools the organization uses include Antak, ASPXSpy, and EternalBlue (0-Day Exploit). Furthermore, tools such as HTTP tunnel and Mimikatz play critical roles in APT39’s data exfiltration and credential-stealing operations. The organization’s ‘Living off the Land’ tactic draws attention as a method that makes it difficult to detect by abusing existing system tools.
The TTPs (Tactics, Techniques, and Procedures) used by APT39 include T1071 (Data Communication Protocols), T1560 (Data Hiding) and T1115 (Clipboard Data Exfiltration). These TTPs demonstrate the breadth and sophistication of the organization’s cyberattack and infiltration capabilities. Furthermore, tactics such as T1547 (System Initialization Items) and T1027 (Detection Prevention) point to APT39’s ability to cover its tracks and maintain long-term access after infiltration.
With its advanced cyber espionage techniques and strategic target selection, APT39 has become an important tool serving Iran’s global and regional political objectives. This organization’s activities are something cyber intelligence firms should constantly monitor. The tools and tactics used by APT39 pose a threat to its victims and a reference for cyber intelligence service providers to improve their clients’ defense mechanisms.
As ThreatMon, we continuously monitor APT39 and 1000+ known threat actors and APT groups and work to improve your defense mechanisms. Try ThreatMon’s Free Premium Access feature to avoid sophisticated attacks by the APT39 group and keep your systems secure!