Threat Group Cards: A Threat Actor Encyclopedia

APT group: Subgroup: TA455, Smoke Sandstorm

Names	TA455 (ClearSky) Smoke Sandstorm (Microsoft) Bohrium (Microsoft) DEV-0056 (Microsoft) Yellow Dev 13 (PWC) UNC1549 (Mandiant)
Country	Iran
Motivation	Information theft and espionage
First seen	2021
Description	A subgroup of Magic Hound, APT 35, Cobalt Illusion, Charming Kitten. (Microsoft) Smoke Sandstorm (formerly BOHRIUM/DEV-0056) compromised email accounts at a Bahrain-based IT integration company in September 2021. This company works on IT integration with Bahrain Government clients, who were likely Smoke Sandstorm’s ultimate target. Smoke Sandstorm also compromised various accounts at a partially government-owned organization in the Middle East that provides information and communications technology to the defense and transportation sectors, which are targets of interest to the Iranian regime. In May of 2022, Microsoft took legal action to disrupt spear phishing operations linked to Smoke Sandstorm. There seems to be overlap with Tortoiseshell, Imperial Kitten.
Observed	Sectors: Aerospace, Aviation, Defense. Countries: Albania, India, Israel, Turkey, UAE and Middle East.
Tools used	LIGHTRAIL, MINIBIKE, MINIBUS, SlugResin, SnailResin.
Operations performed	Jun 2022	When Cats Fly: Suspected Iranian Threat Actor UNC1549 Targets Israeli and Middle East Aerospace and Defense Sectors <https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east>
	Sep 2023	Operation “Iranian Dream Job” Iranian “Dream Job” Campaign 11.24 <https://www.clearskysec.com/wp-content/uploads/2024/11/Iranian-Dream-Job-ver1.pdf>
Information	<https://www.microsoft.com/en-us/security/security-insider/smoke-sandstorm>

Last change to this card: 29 December 2024

Download this actor card in PDF or JSON format