TA455, Smoke Sandstorm
Description
A subgroup of Magic Hound, APT 35, Cobalt Illusion, Charming Kitten.
(Microsoft) Smoke Sandstorm (formerly BOHRIUM/DEV-0056) compromised email accounts at a Bahrain-based IT integration company in September 2021. This company works on IT integration with Bahrain Government clients, who were likely Smoke Sandstorm’s ultimate target. Smoke Sandstorm also compromised various accounts at a partially government-owned organization in the Middle East that provides information and communications technology to the defense and transportation sectors, which are targets of interest to the Iranian regime. In May of 2022, Microsoft took legal action to disrupt spear phishing operations linked to Smoke Sandstorm.
There seems to be overlap with Tortoiseshell, Imperial Kitten.
Names
| Name | Name-Giver |
|---|---|
| TA455 | ClearSky |
| Smoke Sandstorm | Microsoft |
| Bohrium | Microsoft |
| DEV-0056 | Microsoft |
| Yellow Dev 13 | PWC |
| UNC1549 | Mandiant |
Country
Motivation
- Information theft and espionage
First Seen
2021
Observed Sectors
Observed Countries
Tools
Operations
- 2022-06: When Cats Fly: Suspected Iranian Threat Actor UNC1549 Targets Israeli and Middle East Aerospace and Defense Sectors https://www.mandiant.com/resources/blog/suspected-iranian-unc1549-targets-israel-middle-east
- 2023-09: Operation “Iranian Dream Job” Iranian “Dream Job” Campaign 11.24 https://www.clearskysec.com/wp-content/uploads/2024/11/Iranian-Dream-Job-ver1.pdf
Information
Other Information
Uuid
1f9277fa-f9e5-4a0b-a2a0-2179ddc62c86
Last Card Change
2024-12-29