APT39
G00871 reportsAnalyst assessment — key judgments
- Signature techniques: T1090.004 (Domain Fronting), T1090.001 (Internal Proxy).
- Primary targeting: US.
- Newly emerged: 1 report(s) in last 30d vs 0 prior (+100%).
- Recent movement: 2 new technique(s), 8 new infrastructure indicator(s) in the last 30 days.
- Hunt coverage 100% of 2 observed techniques (0 gap(s)).
- Assessment confidence: medium (60).
Activity & trend
Movement — last 30 days
Overview
APT39 is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. APT39 has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS.(Citation: FireEye APT39 Jan 2019)(Citation: Symantec Chafer Dec 2015)(Citation: FBI FLASH APT39 September 2020)(Citation: Dept. of Treasury Iran Sanctions September 2020)(Citation: DOJ Iran Indictments September 2020)
ATT&CK technique matrix
- T1090.004 · Domain Frontingconf 601evidence: Finding SOCKS with Proxywatch
- T1090.001 · Internal Proxyconf 601evidence: Finding SOCKS with Proxywatch
Threat catalogue · engineering roadmap
Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.
Infrastructure
Relationships
Activity
| Title | Source | Severity | Collected |
|---|