APT33
APT33 is a group of APTs also known as Elfin, MAGNALLIUM, Refined Kitten, HOLMIUM, COBALT TRINITY, G0064, ATK35, ATK 35, TA451, Magnallium and APT33. This group was first spotted in 2013 and is known to be based in Iran.
The countries targeted by APT33 include Iran, Iraq, Israel, Saudi Arabia, South Korea, the United Kingdom, and the United States. Target sectors include aerospace, defense, education, energy, financial, government, healthcare, high-tech, manufacturing, media, petrochemicals and private sector.
The group’s main motivations are espionage and information theft. APT33 aims to sustain its operations by obtaining sensitive information.
Tools used by APT33 include AutoIt backdoor, DarkComet, DistTrack, EmpireProject, Filerase, JuicyPotato, LaZagne, Living off the Land, Mimikatz, NanoCore RAT, NetWire RC, PoshC2, PowerBand, PowerSploit, POWERTON, PsList, PupyRAT, QuasarRAT, RemcosRAT, Ruler, SHAPESHIFT, StoneDrill and TURNEDUP. These tools are used for various functions, such as creating backdoors, stealing information, exporting, stealing credentials, planting spyware, and worms that spread malware.
The tactics and techniques used by APT33 are T1071, T1071.001, T1560, T1560.001, T1547, T1547.001, T1110, T1110.003, T1059, T1059.001, T1059.005, T1555, T1555.003, T1132, T1132.001, T1573, T1573.001, T1546, T1546.003, T1048, T1048. 003, T1203, T1068, T1105, T1040, T1571, T1027, T1588, T1588.002, T1003, T1003.001, T1003.004, T1003.005, T1566, T1566.001, T1566.002, T1053, T1053.005, T1552, T1552.001, T1552.006, T1204, T1204.001 and T1204.002. These techniques represent the strategies used by the groups during the planning and implementation phases.
APT34
APT34 is an APT group known as Twisted Kitten, Cobalt Gypsy, Crambus, Helix Kitten, IRN2, ATK40, G0049, Evasive Serpens, and OilRig. Based in Iran, this group specifically targets government, private sector, and non-profit organizations and its main motivation is espionage.
APT34 targets Israel, Kuwait, the United States, Turkey, Saudi Arabia, Qatar, Lebanon, and countries across the Middle East. This group uses a variety of cyber attack techniques to obtain sensitive information.
Tactics and techniques used by APT34 include system information gathering (T1087, T1087.001, T1087.002), communication protocol exploits (T1071, T1071.001, T1071.004), code injection (T1059, T1059.001, T1059. 003, T1059.005), credential stealing (T1555, T1555.003, T1555.004), post-infiltration actions (T1573, T1573.002), data exfiltration (T1048, T1048.003), and many other sophisticated techniques. These techniques demonstrate the ability of groups to infiltrate target systems, gather information, and use the leaked information to their advantage.
APT34 is known for organizing elaborate and long-term espionage campaigns against strategically important targets, particularly in the Middle East region.
APT35
APT35 is an APT group known as Newscaster Team, Magic Hound, G0059, Phosphorus, APT 35, Cobalt Illusion, Cobalt Mirage, Charming Kitten, and TEMP.Beanie, Timberworm, Tarh Andishan, TA453, TunnelVision, UNC788, Yellow Garuda, Operation Thamar Reservoir, Operation BadBlood, and Operation SpoofedScholars. First detected in 2012, this group is an Iran-based threat.
Countries targeted by APT35 include Afghanistan, Canada, Egypt, Iran, Iraq, Israel, Jordan, Kuwait, Morocco, Pakistan, Saudi Arabia, Spain, Syria, Turkey, United Arab Emirates, United Kingdom, United States, Venezuela and Yemen. Target sectors range from defense, energy, financial, government, healthcare, IT, oil and gas, technology and telecommunications.
The group’s main motivations are espionage and information theft. APT35 uses a variety of cyber attack tools and techniques to obtain sensitive information from target organizations.
The tools used by APT35 include CWoolger, DistTrack, DownPaper, FireMalv, FRP, Ghambar, Havij, HYPERSCRAPE, Leash, Matryoshka RAT, Mimikatz, MPKBot, NETWoolger, PINEFLOWER, PowerLess Backdoor, PsList, PupyRAT, sqlmap and TDTESS. These tools are used for various functions such as creating backdoors, stealing information and credentials, exporting data, and bypassing system security measures.
The tactics and techniques used by APT35 include system information gathering (T1087, T1087.003), credential misuse (T1098, T1098.002), building cyber attack infrastructure (T1583, T1583.001, T1583.006), using communication protocols (T1071, T1071.001), data exfiltration (T1560, T1560.001), and many other sophisticated techniques. These techniques demonstrate the group’s ability to infiltrate target systems, gather information, and use the leaked information to their advantage.
APT35 is known for orchestrating long-term espionage campaigns against strategically important targets across a wide geographic range.
APT39
APT39 is an APT group also known as Chafer, REMIX KITTEN, COBALT HICKMAN, G0087, Radio Serpens, APT39, TA454, ITG07 and APT39. Detected in 2014 for the first time, this group is an Iran-based threat.
Countries targeted by APT39 include Israel, Jordan, Kuwait, Saudi Arabia, Spain, Turkey, the United Arab Emirates, and the United States. This group specifically targets the aerospace, engineering, government, high-tech, IT, shipping and logistics, telecommunications, and transportation sectors.
The group’s main motivations are espionage and information theft. APT39 uses various cyber-attack tools and techniques to obtain sensitive information.
Tools used by APT39 include Antak, ASPXSpy, EternalBlue, HTTPTunnel, Living off the Land, MechaFlounder, Metasploit, Mimikatz, nbtscan, Non-sucking Service Manager, OilRig, Plink, POWBAT, pwdump, Rana, Remcom, Remexi, SafetyKatz, SEAWEED, UltraVNC and Windows Credentials Editor. These tools are used for various functions, such as creating backdoors, stealing information and credentials, exporting data, and bypassing system security measures.
The tactics and techniques used by APT39 include system information gathering (T1071, T1071.001, T1071.004), data exfiltration (T1560, T1560.001), startup item misuse (T1547, T1547.001, T1547.009), credential misuse (T1110, T1555), and many other sophisticated techniques. These techniques demonstrate the group’s ability to infiltrate target systems, gather information, and use the information they have leaked to their advantage.
APT39 is known for organizing long-term espionage campaigns against targets of strategic importance, particularly in the Middle East.