CopyKittens: Report Details Possible Iranian Threat Group
Security researchers have detailed a major politically motivated cyber espionage campaign focused on stealing info from government, defense and academic organizations via custom and commercial tools.
CopyKittens – which has been active since at least 2013 – has targeted organizations in Israel, Saudi Arabia, Turkey, the US, Jordan and Germany as well as UN employees, according to a joint report from Israeli firm ClearSky and Trend Micro.
Other methods include emailed links to malicious sites built by the group, weaponized Office documents, and the exploitation of web servers using vulnerability scanning and SQLi tools such as Havij, sqlmap, and Acunetix.
It also created fake social media profiles to build trust with targets and potentially spread malicious links.
In one attack, members of the German Bundestag were hit by several watering hole attacks, including ones linking to compromised Jerusalem Post pages.
In another, an IT company was infiltrated so hackers could use its VPN connection into client organizations, the report claimed.
These include: TDTESS backdoor; lateral movement tool, Vminst; NetSrv, a Cobalt Strike loader; and ZPP, a files compression console program. The group also uses Matryoshka v1, a selfdeveloped RAT analyzed by ClearSky in a previous report, and newer version Matryoshka v2.
However, the group’s efforts lacked sophistication in some respects:
“Often, victim organizations would learn of the breach due to the non-stealthy behavior of the attackers. The attackers would get greedy, infecting multiple computers within the network of breached organizations. This would raise an alarm in various defense systems, making the victims initiate incident response operations.”
Although the report falls short of clear attribution, Iranian hackers were flagged by Eyal Sela, head of threat intelligence at ClearSky, and in a previous report. That would make sense, given the list of CopyKittens targets.
Trend Micro EMEA threat research lead, Bob McArdle, explained that the hackers often target the same user repeatedly over multiple platforms until they get in, before pivoting to a higher value target on the network.
“As stated in our recent Pawn Storm report, we strongly recommend two factor authentication be implemented to protect webmail accounts from being compromised,” he added in a blog post.
“Webmail accounts can be a treasure trove of information for an attacker, and an extremely strong initial beachhead for pivoting into other targets e.g. replying to existing threads with malicious attachments or links."
Source: Information Security Magazine