Names | DEV-0270 (Microsoft) Nemesis Kitten (CrowdStrike) DireFate (BAE Systems) Yellow Dev 23 (PWC) Yellow Dev 24 (PWC) Lord Nemesis (OP Innovate) | |
Country | Iran | |
Motivation | Financial gain | |
First seen | 2022 | |
Description | A subgroup of Magic Hound, APT 35, Cobalt Illusion, Charming Kitten. (Microsoft) Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of Iranian actor PHOSPHORUS. Microsoft assesses with moderate confidence that DEV-0270 conducts malicious network operations, including widespread vulnerability scanning, on behalf of the government of Iran. However, judging from their geographic and sectoral targeting, which often lacked a strategic value for the regime, we assess with low confidence that some of DEV-0270’s ransomware attacks are a form of moonlighting for personal or company-specific revenue generation. | |
Observed | ||
Tools used | Impacket, WmiExec, Living off the Land. | |
Operations performed | Nov 2023 | Lord Nemesis Strikes: Supply Chain Attack on the Israeli Academic Sector <https://op-c.net/blog/lord-nemesis-strikes-supply-chain-attack-on-the-israeli-academic-sector/> |
Information | <https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/> |
Last change to this card: 10 March 2024
Download this actor card in PDF or JSON format
Previous: Magic Hound, APT 35, Cobalt Illusion, Charming Kitten
Next: Subgroup: TA455, Smoke Sandstorm
Digital Service Security Center Follow us on |
Report incidents |
|
+66 (0)2-123-1227 | ||
[email protected] |