Iranian Threat Group ITG18 Exposed: Targeting US Military and Political Campaigns
- Actor Motivations: Espionage,Exfiltration
- Attack Vectors: Spear Phishing
- Attack Complexity: Medium
- Threat Risk: High Impact/High Probability
Threat Overview
IBM X-Force IRIS uncovered extensive details on ITG18 through operational errors. Over 40 GB of data and videos revealed ITG18’s targeting of U.S. Navy and Hellenic Navy personnel, U.S. presidential campaigns, pharmaceutical companies, and Iranian-American figures. The group employed credential harvesting, phishing, and email compromise, often using Zimbra to manage compromised accounts. ITG18's operations align with Iranian strategic interests, leveraging personal accounts to gather sensitive data on military operations and geopolitical targets. Multifactor authentication posed challenges, causing operators to pivot to new targets.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Case | Hellenic Navy The Hellenic Navy is the naval force of Greece, part of the Hellenic Armed Forces. The modern Greek navy historically hails from the naval forces of various Aegean Islands, which fought in the Greek War of Independence. During the periods of monarchy it was known as the Royal Hellenic Navy. Hellenic Navy has been targeted by ITG18 as the main target. | Verified |
| Case | Office of Foreign Assets Control (OFAC) The Office of Foreign Assets Control is a financial intelligence and enforcement agency of the U.S. Treasury Department. It administers and enforces economic and trade sanctions in support of U.S. national security and foreign policy objectives. Office of Foreign Assets Control (OFAC) has been targeted by ITG18 as the main target. | Verified |
| Case | United States Department of State The United States Department of State, or simply the State Department, is an executive department of the U.S. federal government responsible for the country's foreign policy and relations. United States Department of State has been targeted by ITG18 as the main target. | Verified |
| Case | United States Navy The United States Navy (USN) is the maritime service branch of the United States Armed Forces and one of the eight uniformed services of the United States. United States Navy has been targeted by ITG18 as the main target. | Verified |
| Sector | Government Agencies and Services | Verified |
| Sector | Military | Verified |
| Sector | Pharmaceuticals | Verified |
| Region | Greece | Verified |
| Region | United States | Verified |
FAQs
Understanding the ITG18 Cyber Espionage Exposure
A server misconfiguration exposed over 40 GB of internal training and operational data from a suspected Iranian cyber espionage group known as ITG18. This included desktop recordings showing how the group accessed and exfiltrated data from compromised accounts.
The Iranian state-linked threat group ITG18, also known as Charming Kitten or Phosphorus. They have a history of cyber operations aligned with Iranian national interests.
The attackers aimed to collect sensitive personal data from military personnel and diplomats, likely for intelligence gathering and long-term strategic gain.
Individuals associated with the U.S. and Greek Navy, U.S. State Department officials, and an Iranian-American philanthropist. The targets indicate a focus on high-value individuals with strategic or political relevance.
The group used stolen credentials to log into personal accounts, exfiltrated emails and files, and configured accounts for long-term access via a third-party email management platform. Failed phishing attempts were also observed.
Military and diplomatic figures possess sensitive information that can inform foreign policy or military strategy. Personal accounts often lack the protections of official systems, making them more vulnerable.
Enable multi-factor authentication, use strong and unique passwords with a password manager, and review account security settings regularly. Avoid reusing passwords across services.
The operation was targeted, focusing on individuals of strategic importance. However, the techniques used—especially credential harvesting—are broadly applicable and pose risks to a wide range of users.