Threat Actor: APT35; AKA "Charming Kitten"

Date of Activity: ~2014-Present

Overview: APT35, also known as Charming Kitten, is a state-sponsored Iranian hacking group that has been active since at least 2014. The group is known for targeting individuals and organizations in the United States, Israel, and other countries in the Middle East, with a focus on the government, military, and media sectors.

APT35 has been linked to several high-profile cyber-attacks, including the 2017 cyber-attack on the British Parliament, the 2018 hack of the US Department of Labor, and the 2019 attack on the personal email accounts of several US government officials. The group is known for using a variety of tools and techniques to gain access to victim networks, including spearphishing, password cracking, and the use of zero-day vulnerabilities.

One of the group's most notable tactics is its use of fake news and disinformation to advance its goals. In 2016, the group created a fake news website called NewsOnAir.org and used it to spread false information about the US presidential election. The group has also been known to create fake social media accounts and use them to spread disinformation and sow discord among target audiences.

Despite the widespread attention that APT35 has received in recent years, relatively little is known about the group's operations or its ultimate goals. Some experts believe that the group is working on behalf of the Iranian government, while others believe that it may be operating independently. In any case, the group remains a serious threat to the cybersecurity of individuals and organizations around the world.

TTPs:

• Nation-state tool set; to include exploits, implants, and RATs

• Belding of cyber operations and disinformation campaigns

• Sophisticated Social engineering

• Supply-chain interdiction and attacks

• Implementing encrypted communications and co-opted infrastructure

• Long term access to networks with deep access

• Highly customizable toolkit tailored for specific operations