ETDA ThaiCERT
Report
Search
Home > List all groups > ITG18

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: ITG18

NamesITG18 (IBM)
CountryIran Iran
MotivationInformation theft and espionage
First seen2013
Description(IBM) IBM X-Force Incident Response Intelligence Services (IRIS) has uncovered rare details on the operations of the suspected Iranian threat group ITG18, which overlaps with Magic Hound, APT 35, Cobalt Gypsy, Charming Kitten and Rocket Kitten, Newscaster, NewsBeef. In the past few weeks, ITG18 has been associated with targeting of pharmaceutical companies and the U.S. presidential campaigns. Now, due to operational errors—a basic misconfiguration—by suspected ITG18 associates, a server with more than 40 gigabytes of data on their operations has been analyzed by X-Force IRIS analysts.

Rarely are there opportunities to understand how the operator behaves behind the keyboard, and even rarer still are there recordings the operator self-produced showing their operations. But that is exactly what X-Force IRIS uncovered on an ITG18 operator whose OPSEC failures provide a unique behind-the-scenes look into their methods, and potentially, their legwork for a broader operation that is likely underway.
ObservedSectors: Defense, Government, Pharmaceutical.
Countries: USA.
Tools used
Operations performedMay 2020During a three-day period in May 2020, IBM X-Force IRIS discovered the 40 GBs of video and data files being uploaded to a server that hosted numerous ITG18 domains used in earlier 2020 activity. Some of the videos showed the operator managing adversary-created accounts while others showed the operator testing access and exfiltrating data from previously compromised accounts.
<https://securityintelligence.com/posts/new-research-exposes-iranian-threat-group-operations/>
Information<https://securityintelligence.com/posts/new-research-exposes-iranian-threat-group-operations/>

Last change to this card: 17 July 2020

Download this actor card in PDF or JSON format

Previous: IronHusky
Next: Ke3chang, Vixen Panda, APT 15, GREF, Playful Dragon

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key