CopyKittens: Report Details Possible Iranian Threat Group

Written by

Security researchers have detailed a major politically motivated cyber espionage campaign focused on stealing info from government, defense and academic organizations via custom and commercial tools.

CopyKittens – which has been active since at least 2013 – has targeted organizations in Israel, Saudi Arabia, Turkey, the US, Jordan and Germany as well as UN employees, according to a joint report from Israeli firm ClearSky and Trend Micro.

It’s used a variety of means to do so, including watering hole attacks inserting JavaScript into tactically chosen sites such as the Jerusalem Post and IDF Disabled Veterans Organization.

Other methods include emailed links to malicious sites built by the group, weaponized Office documents, and the exploitation of web servers using vulnerability scanning and SQLi tools such as Havij, sqlmap, and Acunetix.

It also created fake social media profiles to build trust with targets and potentially spread malicious links.

In one attack, members of the German Bundestag were hit by several watering hole attacks, including ones linking to compromised Jerusalem Post pages.

In another, an IT company was infiltrated so hackers could use its VPN connection into client organizations, the report claimed.

As well as using public tools such as Red Team software Cobalt Strike, Metasploit, credential dumping tool Mimikatz and post-exploitation agent Empire, the group employed several developed in-house.

These include: TDTESS backdoor; lateral movement tool, Vminst; NetSrv, a Cobalt Strike loader; and ZPP, a files compression console program. The group also uses Matryoshka v1, a selfdeveloped RAT analyzed by ClearSky in a previous report, and newer version Matryoshka v2.

However, the group’s efforts lacked sophistication in some respects:

“Often, victim organizations would learn of the breach due to the non-stealthy behavior of the attackers. The attackers would get greedy, infecting multiple computers within the network of breached organizations. This would raise an alarm in various defense systems, making the victims initiate incident response operations.”

Although the report falls short of clear attribution, Iranian hackers were flagged by Eyal Sela, head of threat intelligence at ClearSky, and in a previous report. That would make sense, given the list of CopyKittens targets.

Trend Micro EMEA threat research lead, Bob McArdle, explained that the hackers often target the same user repeatedly over multiple platforms until they get in, before pivoting to a higher value target on the network.

“As stated in our recent Pawn Storm report, we strongly recommend two factor authentication be implemented to protect webmail accounts from being compromised,” he added in a blog post.

“Webmail accounts can be a treasure trove of information for an attacker, and an extremely strong initial beachhead for pivoting into other targets e.g. replying to existing threads with malicious attachments or links."

What’s hot on Infosecurity Magazine?