Emiel Haeghebaert

APT42: Wild Kittens and Where to Find Them

Charming Kitten, Phosphorus, TA453, and APT42. You’ve heard these names before, but who and what are they, and where can you find them? In this session, Mandiant analysts Emiel and Ashley will talk about APT42, a cluster of threat activity that conducts cyber espionage and credential harvesting on behalf of the Iranian government. APT42 is characterized by credential theft operations against corporate and personal email accounts and has consistently targeted Western think tanks and academics, current and former government officials, members of the Iranian diaspora in the United Kingdom, Israel, and the United States, as well as high-profile individuals within Iran.

This presentation will touch on the history of the group and, drawing on recent use cases, will illustrate how to leverage and turn the group’s bad habits and infrastructure patterns into reliable threat hunting techniques. It will cover how different third-party tools, like Censys, DomainTools, PassiveTotal, and VirusTotal are leveraged to identify new infrastructure in real time as well as changes in techniques over time. Attendance at this session will result in actionable takeaways for threat intelligence analysts!

Emiel Haeghebaert is a Senior Analyst with Mandiant Threat Intelligence’s Cyber Espionage Analysis team. Since joining the company in 2019, Emiel has produced extensive intelligence reporting on cyber threat activity emanating from the Middle East region and focuses his research on Iranian threat actors.

Prior to Mandiant, Emiel served in a variety of policy and academic research roles, including at Georgetown University and the Carnegie Endowment for International Peace.

Originally from Belgium, he holds a Master of Arts in Security Studies from Georgetown University and a BA in International Affairs from Vesalius College, Brussels.