Threat Actor Profile: APT35

Introduction

APT35, also known as Phosphorus, Charming Kitten, and Ajax Security Team, is an Iranian threat actor that has been active since at least 2014. The group has targeted organisations across multiple industries in the United States, the Middle East, Asia, and Europe, and its activities include cyber espionage and intellectual property theft. APT35 is known for its use of social engineering tactics, including spear-phishing emails and fake social media profiles, to gain access to targets’ systems.

Timeline of Incidents

• 2014: APT35’s activities were first reported by CrowdStrike, which linked the group to a campaign targeting the US defence industrial base and Iranian dissidents. The group was found to be using malware and spear-phishing tactics to gain access to their targets.
• 2017: ClearSky and Trend Micro reported on APT35’s phishing campaigns against political and civil rights activists, focusing on individuals who directly oppose the Iranian government. The group was found to be using a variety of techniques, including spear-phishing and social engineering, to compromise their targets.
• 2018: APT35 was observed targeting universities to steal intellectual property. The group used spear-phishing emails to trick victims into revealing their login credentials. The group also targeted organisations in the chemical, telecommunications, and petrochemical industries, using a combination of spear-phishing and watering hole attacks.
• 2019: Microsoft reported that APT35 attempted to compromise email accounts associated with a US presidential campaign, current and former US government officials, journalists, and prominent Iranians living outside Iran. The group used a variety of techniques, including password spraying and spear-phishing, to gain access to their targets.
• 2020: APT35 was linked to a series of attacks against global telecommunications providers, using tools and techniques commonly associated with Chinese-affiliated threat actors, such as APT10. The group was found to be using a combination of spear-phishing emails and custom malware to gain access to their targets.
• 2021: The group was observed using LinkedIn to conduct a social engineering campaign against targets in the defence and aerospace industries. The group used fake profiles to connect with their targets and then sent spear-phishing emails to compromise their systems.
• 2022: APT35 was reported to automate initial access using ProxyShell and also using malicious documents and zero-day exploits in their attacks. The group was found to be using a variety of techniques, including spear-phishing, social engineering, and exploiting software vulnerabilities, to gain access to their targets.
• 2023: The group was reported to target educational institutions. Additionally, new developments have emerged in 2023, including the use of BellaCiao malware, a .NET-based malware linked to APT35, and engaging in global password spray attacks since February 2023, focusing on sectors such as satellite, defense, and pharmaceuticals. The group used a combination of spear-phishing emails and custom malware to compromise their targets.

Geography and Political Affiliations

APT35 primarily targets entities that are of strategic importance to Iran’s government, including individuals and organisations that are seen as threats to the regime. The group has targeted organisations in the United States, the Middle East, Asia, and Europe, with a focus on sectors such as defence, telecommunications, and chemical industries.

APT35 is believed to be aligned with the Iranian government, and its activities are consistent with nation-state level cyber espionage. The group’s focus on gathering strategic intelligence suggests that it operates with at least the tacit approval of the Iranian government.

IOCs

Here are some of the known IOCs related to APT35:

• Hashes:
  • 6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a
  • 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
  • 9c4f9e9d48816a60c5dcb1c8e3e4c1e3c8d7b011b04553c0f594345119b3e7a0
• IPs:
  • 79.127.127[.]68
  • 46.209.20[.]17
  • 217.218.155[.]26
• URLs:
  • hxxp://login.yahoo.com.bins[.]gq
  • hxxp://owa.outlook.com.bins[.]gq
  • hxxp://adfs-sso[.]online
• Domains:
  • bins[.]gq
  • adfs-sso[.]online
  • outlook-login[.]cf

MITRE ATT&CK TTPs

APT35 is known to use a variety of tactics, techniques, and procedures (TTPs) as defined by the MITRE ATT&CK framework. Some of these include:

• Spearphishing Attachment (T1193): APT35 frequently uses spear-phishing emails with malicious attachments to gain initial access to the target’s system.
• Drive-by Compromise (T1189): The group has been known to compromise websites to deliver exploit kits.
• Exploitation for Client Execution (T1203): APT35 often uses exploits against software vulnerabilities to execute their code on a victim’s system.
• Scripting (T1064): The group uses scripts to automate tasks, evade detection, and move laterally within a network.
• Registry Run Keys / Startup Folder (T1060): APT35 uses registry run keys to establish persistence.
• Credential Dumping (T1003): The group uses tools like Mimikatz to obtain password hashes.
• Data Compressed (T1002): APT35 has been observed compressing data for exfiltration.
• Standard Application Layer Protocol (T1071): The group uses standard protocols such as HTTP and HTTPS for command and control communication.

For a full list of known TTPs used by APT35, refer to the group’s MITRE ATT&CK profile.

Further Reading

• ClearSky Operation Quicksand
• FireEye APT34 by the Numbers: A Team of One
• CrowdStrike Who is Charming Kitten
• Symantec APT34: Iranian Espionage
• Cisco Talos APT34
• Cybereason Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers