Actor: Cutting Kitten, TG-2889

Names: Cutting Kitten, TG-2889

Country: Iran

Sponsor: State-sponsored, security company ITSecTeam

Motivation: Information theft and espionage

First-seen: 2012

Description: Cleaver is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889). This group evolved into {{Magic Hound, APT 35, Cobalt Illusion, Charming Kitten}}.

Observed-sectors: Aerospace

Observed-sectors: Aviation

Observed-sectors: Chemical

Observed-sectors: Defense

Observed-sectors: Education

Observed-sectors: Energy

Observed-sectors: Financial

Observed-sectors: Government

Observed-sectors: Healthcare

Observed-sectors: Oil and gas

Observed-sectors: Technology

Observed-sectors: Telecommunications

Observed-sectors: Transportation

Observed-sectors: Utilities

Observed-sectors: (banks: Bank of America, US Bancorp, Fifth Third Bank, Citigroup, PNC, BB&T, Wells Fargo, Capital One and HSBC)

Observed-countries: Canada

Observed-countries: China

Observed-countries: France

Observed-countries: Germany

Observed-countries: India

Observed-countries: Israel

Observed-countries: Kuwait

Observed-countries: Mexico

Observed-countries: Netherlands

Observed-countries: Pakistan

Observed-countries: Qatar

Observed-countries: Saudi Arabia

Observed-countries: South Korea

Observed-countries: Turkey

Observed-countries: UAE

Observed-countries: UK

Observed-countries: USA

Tools: CsExt

Tools: DistTrack

Tools: Jasus

Tools: KAgent

Tools: Leash

Tools: Logger Module

Tools: MPKBot

Tools: Net Crawler

Tools: PupyRAT

Tools: PVZ-In

Tools: PVZ-Out

Tools: SynFlooder

Tools: SysKit

Tools: TinyZBot

Tools: WndTest

Tools: zhCat

Tools: zhMimikatz

Operations: 2012

Operations: Operation “Cleaver” Operation Cleaver has, over the past several years, conducted a significant global surveillance and infiltration campaign. To date it has successfully evaded detection by existing security technologies. The group is believed to work from Tehran, Iran, although auxiliary team members were identified in other locations including the Netherlands, Canada, and the UK. The group successfully leveraged both publicly available, and customized tools to attack and compromise targets around the globe. The targets include military, oil and gas, energy and utilities, transportation, airlines, airports, hospitals, telecommunications, technology, education, aerospace, Defense Industrial Base (DIB), chemical companies, and governments. https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf

Operations: 2013

Operations: Attack on the Bowman Avenue Dam Iranian hackers infiltrated the control system of a small dam less than 20 miles from New York City two years ago, sparking concerns that reached to the White House, according to former and current U.S. officials and experts familiar with the previously undisclosed incident. https://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559

Operations: 2015

Operations: Network of Fake LinkedIn Profiles While tracking a suspected Iran-based threat group known as Threat Group-2889 (TG-2889), Dell SecureWorks Counter Threat Unit (CTU) researchers uncovered a network of fake LinkedIn profiles. These convincing profiles form a self-referenced network of seemingly established LinkedIn users. CTU researchers assess with high confidence the purpose of this network is to target potential victims through social engineering. https://www.secureworks.com/research/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles

Counter-operations: 2016-03

Counter-operations: U.S. indicts Iranians for hacking dozens of banks, New York dam https://www.reuters.com/article/us-usa-iran-cyber/u-s-indicts-iranians-for-hacking-dozens-of-banks-new-york-dam-idUSKCN0WQ1JF

Mitre-attack: https://attack.mitre.org/groups/G0003/

Last-card-change: 2022-09-13

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi