Application Security

9/1/2015
06:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Cyberspies Impersonate Security Researcher

'Rocket Kitten' pro-Iranian regime hackers focusing more on targeting individuals for geopolitical espionage.

A cyber espionage group likely out of Iran turned the tables on a security researcher who may have gotten a little too close to its operation: the attackers posed as the researcher in a spear-phishing email.

The researcher, from ClearSky, has been tracking the hacking group, known as Rocket Kitten.

"[The researcher] had infiltrated … and was able to pose as a person of interest in this group, and they had engaged" with the researcher, says Jon Clay, senior global marketing manager for Trend Micro, which along with ClearSky today published new findings on Rocket Kitten. The spear-phishing email included a malicious link purportedly to a Trend Micro malware scanner.

Image Source: Trend Micro
Image Source: Trend Micro

The attackers first attempted to contact the ClearSky researcher via a phony Facebook profile, a ploy that ultimately failed. In late June, he learned that the attackers had sent a spear phishing email to one of their previous victims, Dr. Thamar E. Gindin, a lecturer on linguistics and pre-Islamic Iranian culture -- using his name as the purported sender. He had worked before Gindin while investigating Rocket Kitten's hacking activities, so the attackers either somehow had obtained previous email correspondence between the two, or they knew of the researcher's investigation into their operations.

"I can't tell what the hackers' motivation was to go after this individual [the ClearSky researcher]; it did give us some good information," Clay says. "We see this often with underground [cybercrime] investigations: a researcher infiltrates a forum and starts to be able to speak with the threat actors, acting like a member of the group."

This latest targeted attack demonstrates how Rocket Kitten's M.O. is now more about targeting individuals rather than organizations for the intel it's after, according to Trend Micro's findings. That's a departure from its earlier days, where the cyber espionage group went after organizations mostly in policy research, diplomacy, international affairs, defense, security, journalism, and human rights groups in the Middle East. Their targets of late appear to be Iranian dissidents and Israelis, more clues that Rocket Kitten is an Iranian attack group whose purpose is intelligence about the individual's activities. It's classic espionage with a geopolitical twist, researchers say.

"The interesting thing we found is that they shifted from going after organizations, to going after individuals associated with those organizations. They can then utilize this personalized data to get into the corporate data; they use that to leverage lateral movement inside the organization," Clay says. The goal is to steal the targeted individual's credentials, for example, to obtain a foothold in the targeted organization and move about "legitimately."

ClearSky has counted some 550 targets, mostly in the Middle East. "They are scientists, journalists, researchers, and sometimes expatriated Iranians living in Western countries. These facts suggest that Rocket Kitten may be engaging some sort of foreign political espionage campaign and may want to find regime-opponents active in driving policy in different ways," the Trend Micro and ClearSky report said. "These people are professionally affiliated with the foreign policy and defense sectors and there is an interest in finding out who they are talking to and what kinds of action they support."

Rocket Kitten isn't considered highly sophisticated; it uses simple hacking tools they may have written as well as pilfered publicly available ones. Researchers from CrowdStrike and Cymmetria, along with the Israeli CERT, late last year discovered that the cyber espionage group had used Core Security's penetration testing tool in their attacks.

While the Kitten group is doggedly persistent--they sometimes go after the same individual on a daily basis with different lures--they are known to make typos and grammatical errors that make them easy to spot, a characteristic often associated with cybercriminals. "However, the attackers do make up for these disadvantages with persistence. Based on our research and profiling, we believe the members of the Rocket Kitten Group could be former cybercriminals who ventured into a new field for some unclear reason and so use some of the methods they used to. Many of their techniques are typically observed in criminal endeavors," the report said.

Trend Micro's Clay says while identifying who's behind hacker groups is "tough," Rocket Kitten's targets appear to suggest it's a pro-Iranian government entity. The big challenge has been measuring the group's hacking success: "In a lot of cases, we're just seeing the initial attempts," Clay says. "We don't know what they are exfiltrating."

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
9/7/2015 | 9:54:30 AM
Setting Duck
any system which (a) does not prevent un-authorized programming, and (b) which fails to authenticate incomming messages : is a setting duck target for hackers .
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
9/5/2015 | 6:23:53 AM
Re: That Cute Name
Oh, well then don't mind me.  -_-
wrstanton3
50%
50%
wrstanton3,
User Rank: Apprentice
9/4/2015 | 8:02:08 AM
Re: That Cute Name
Umm... Persian is Farsi...
Joe Stanganelli
0%
100%
Joe Stanganelli,
User Rank: Ninja
9/4/2015 | 5:50:01 AM
Re: That Cute Name
So I tried to copy-paste what Google Translate says "Rocket Kitten" is in Persian, but the website won't let me.  It's just as well; I've no idea how to pronounce it anyway.  ;)
BertrandW414
50%
50%
BertrandW414,
User Rank: Strategist
9/2/2015 | 3:50:16 PM
That Cute Name
The name is "Rocket Kitten"? That's hilarious and adorable. Maybe that name sounds more menacing in Farsi. :-)
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Why We Need a 'Cleaner Internet'
Darren Anstee, Chief Technology Officer at Arbor Networks,  4/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11486
PUBLISHED: 2019-04-23
The Siemens R3964 line discipline driver in drivers/tty/n_r3964.c in the Linux kernel before 5.0.8 has multiple race conditions.
CVE-2019-11487
PUBLISHED: 2019-04-23
The Linux kernel before 5.1-rc5 allows page->_refcount reference count overflow, with resultant use-after-free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c, include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hu...
CVE-2018-7576
PUBLISHED: 2019-04-23
Google TensorFlow 1.6.x and earlier is affected by: Null Pointer Dereference. The type of exploitation is: context-dependent.
CVE-2018-8825
PUBLISHED: 2019-04-23
Google TensorFlow 1.7 and below is affected by: Buffer Overflow. The impact is: execute arbitrary code (local).
CVE-2019-10688
PUBLISHED: 2019-04-23
VVX products using UCS software version 5.8.0 and earlier with Better Together over Ethernet Connector (BToE) application version 3.8.0 and earlier uses hard-coded credentials to establish a connection between the host application and device.