Security researchers have discovered a treasure trove of new information connected to infamous hacking campaign ‘Rocket Kitten,’ which is helping law enforcers disrupt the group behind it, linked to the Iranian Revolutionary Guard.
Although detailed by several security vendors in the past, Rocket Kitten’s inner workings have not been exposed to this degree before.
Check Point’s new report details how several security errors by the group allowed the vendor’s researchers to discover details of over 1,600 hacker targets, as well as the identity of one of the ringleaders: dubbed ‘Wool3n.H4T.’
Attempting to communicate with a phishing web server connected to the Rocket Kitten attacks, they were amazed to find its back-end database allowed “password-less root access.”
Through this they found a phishing web app, designed in-house to generate “target-specific personalized phishing pages,” the Persian names of some of the attackers, and a “projects” table listing 1,842 records including all those attacked from August 2014-August 2015.
These victims include private and public sector targets in Saudi Arabia; embassies, diplomats and NATO commands in Afghanistan, Turkey, Qatar, UAE, Iraq, Kuwait and Yemen; Iranian researchers; and Islamic and anti-Islamic preachers.
Yet more Op-sec failures by the hacking group revealed personal details about key members, as the report explains:
“Using credentials hard-coded into the woolen key-logger, we were able to retrieve numerous woolger DAT files (key-logs), as uploaded from victims around the world…
Among many logged keystroke files containing stolen data, we stumbled on an astonishing discovery: the Rocket Kitten attackers had, in fact, infected their own workstations, apparently as ‘test-runs’ for woolger. The attackers failed to remove these files from the C&C server, demonstrating, yet again, utter lack of OPSEC.”
Analysing logs made by ‘Wool3n.H4t’ the researchers found him logging into AOL with a username ‘yaserbalaghi.’ Following the same email address to an Iranian programmers' forum, it showed him giving a public SQLi tutorial whilst logged in under the secret ‘Wool3n.H4t’ alias.
“Engineer Yaser Balaghi is not only an active member of various programming forums—he had a web site (www.eng-balaghi.com, gone offline since August 2014, still available in the Wayback Machine). In the available archived version of the site he described himself as a ‘programmer, analyst, consultant and lecturer,’ and made himself available for hire. If all that wasn’t enough, we also managed to retrieve an updated resume for Tehran-based Engineer Balaghi.”
Tellingly, one of the projects listed on his CV is the design of “a ‘Phishing Attacks System’ ordered by ‘a cyber-organization’.”
The report claims the targeted attack group was still active as of October 2015, but Check Point confirmed to Infosecurity that thanks to its findings law enforcers are now actively working on a takedown.
“It is our understanding that the information we passed was effectively relayed to assist local law enforcement in Europe in the infrastructure takedown,” research director, Shahar Tal told Infosecurity.
“We have also seen evidence to suggest this has been successful to some extent. We will know better when we study the telemetry data in a few days.”
An Israeli security service official also told Reuters that the matter is “being attended to.”