Threat Actor Characterization
You’re viewing the read-only version.
Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Elfin
ID: 1de00f9940207b65c5eb700f9d6c85fb15588
Cybercrime
State-Sponsored
Threat types: ICS Compromise, Malware, Espionage
Progress: 40%
Completeness: 36%
Freshness: 50%
Operation zone: —
Aliases
Limited alias preview
| APT33 | HOLMIUM | Pe************* | — |
Showing 2 of 3 aliases in free preview.
Actor Network Graph
Open Network GraphMITRE ATT&CK®
confidence: medium
Elfin is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors. Ref: https://attack.mitre.org/groups/G0064/
| Technique | Technique name | Tactics | Evidence |
|---|---|---|---|
| T1003.001 | LSASS Memory | TA0006 |
|
| T1003.004 | LSA Secrets | TA0006 |
|
| T1003.005 | Cached Domain Credentials | TA0006 |
|
| T1027.013 | Encrypted/Encoded File | TA0005 |
|
| T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol | TA0010 |
|
| T1053.005 | Scheduled Task | TA0002 TA0003 TA0004 |
|
| T1059.001 | PowerShell | TA0002 |
|
| T1059.005 | Visual Basic | TA0002 |
|
| T1071.001 | Web Protocols | TA0011 |
|
| T1078.004 | Cloud Accounts | TA0001 TA0003 TA0004 TA0005 |
|
| T1110.003 | Password Spraying | TA0006 |
|
| T1132.001 | Standard Encoding | TA0011 |
|
| T1204.001 | Malicious Link | TA0002 |
|
| T1204.002 | Malicious File | TA0002 |
|
| T1546.003 | Windows Management Instrumentation Event Subscription | TA0003 TA0004 |
|
| T1547.001 | Registry Run Keys / Startup Folder | TA0003 TA0004 |
|
| T1552.001 | Credentials In Files | TA0006 |
|
| T1552.006 | Group Policy Preferences | TA0006 |
|
| T1555.003 | Credentials from Web Browsers | TA0006 |
|
| T1560.001 | Archive via Utility | TA0009 |
|
| T1566.001 | Spearphishing Attachment | TA0001 |
|
| T1566.002 | Spearphishing Link | TA0001 |
|
| T1573.001 | Symmetric Cryptography | TA0011 |
|
| T1588.002 | Tool | TA0042 |
|
Executive brief
now
Saved successfully.
Hunting Playbook
now
Saved successfully.
IOC Appendix
now
Saved successfully.
OSINT Library
now
Saved successfully.