Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

9/1/2015
06:00 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Cyberspies Impersonate Security Researcher

'Rocket Kitten' pro-Iranian regime hackers focusing more on targeting individuals for geopolitical espionage.

A cyber espionage group likely out of Iran turned the tables on a security researcher who may have gotten a little too close to its operation: the attackers posed as the researcher in a spear-phishing email.

The researcher, from ClearSky, has been tracking the hacking group, known as Rocket Kitten.

"[The researcher] had infiltrated … and was able to pose as a person of interest in this group, and they had engaged" with the researcher, says Jon Clay, senior global marketing manager for Trend Micro, which along with ClearSky today published new findings on Rocket Kitten. The spear-phishing email included a malicious link purportedly to a Trend Micro malware scanner.

Image Source: Trend Micro
Image Source: Trend Micro

The attackers first attempted to contact the ClearSky researcher via a phony Facebook profile, a ploy that ultimately failed. In late June, he learned that the attackers had sent a spear phishing email to one of their previous victims, Dr. Thamar E. Gindin, a lecturer on linguistics and pre-Islamic Iranian culture -- using his name as the purported sender. He had worked before Gindin while investigating Rocket Kitten's hacking activities, so the attackers either somehow had obtained previous email correspondence between the two, or they knew of the researcher's investigation into their operations.

"I can't tell what the hackers' motivation was to go after this individual [the ClearSky researcher]; it did give us some good information," Clay says. "We see this often with underground [cybercrime] investigations: a researcher infiltrates a forum and starts to be able to speak with the threat actors, acting like a member of the group."

This latest targeted attack demonstrates how Rocket Kitten's M.O. is now more about targeting individuals rather than organizations for the intel it's after, according to Trend Micro's findings. That's a departure from its earlier days, where the cyber espionage group went after organizations mostly in policy research, diplomacy, international affairs, defense, security, journalism, and human rights groups in the Middle East. Their targets of late appear to be Iranian dissidents and Israelis, more clues that Rocket Kitten is an Iranian attack group whose purpose is intelligence about the individual's activities. It's classic espionage with a geopolitical twist, researchers say.

"The interesting thing we found is that they shifted from going after organizations, to going after individuals associated with those organizations. They can then utilize this personalized data to get into the corporate data; they use that to leverage lateral movement inside the organization," Clay says. The goal is to steal the targeted individual's credentials, for example, to obtain a foothold in the targeted organization and move about "legitimately."

ClearSky has counted some 550 targets, mostly in the Middle East. "They are scientists, journalists, researchers, and sometimes expatriated Iranians living in Western countries. These facts suggest that Rocket Kitten may be engaging some sort of foreign political espionage campaign and may want to find regime-opponents active in driving policy in different ways," the Trend Micro and ClearSky report said. "These people are professionally affiliated with the foreign policy and defense sectors and there is an interest in finding out who they are talking to and what kinds of action they support."

Rocket Kitten isn't considered highly sophisticated; it uses simple hacking tools they may have written as well as pilfered publicly available ones. Researchers from CrowdStrike and Cymmetria, along with the Israeli CERT, late last year discovered that the cyber espionage group had used Core Security's penetration testing tool in their attacks.

While the Kitten group is doggedly persistent--they sometimes go after the same individual on a daily basis with different lures--they are known to make typos and grammatical errors that make them easy to spot, a characteristic often associated with cybercriminals. "However, the attackers do make up for these disadvantages with persistence. Based on our research and profiling, we believe the members of the Rocket Kitten Group could be former cybercriminals who ventured into a new field for some unclear reason and so use some of the methods they used to. Many of their techniques are typically observed in criminal endeavors," the report said.

Trend Micro's Clay says while identifying who's behind hacker groups is "tough," Rocket Kitten's targets appear to suggest it's a pro-Iranian government entity. The big challenge has been measuring the group's hacking success: "In a lot of cases, we're just seeing the initial attempts," Clay says. "We don't know what they are exfiltrating."

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
macker490
50%
50%
macker490,
User Rank: Ninja
9/7/2015 | 9:54:30 AM
Setting Duck
any system which (a) does not prevent un-authorized programming, and (b) which fails to authenticate incomming messages : is a setting duck target for hackers .
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
9/5/2015 | 6:23:53 AM
Re: That Cute Name
Oh, well then don't mind me.  -_-
wrstanton3
50%
50%
wrstanton3,
User Rank: Apprentice
9/4/2015 | 8:02:08 AM
Re: That Cute Name
Umm... Persian is Farsi...
Joe Stanganelli
0%
100%
Joe Stanganelli,
User Rank: Ninja
9/4/2015 | 5:50:01 AM
Re: That Cute Name
So I tried to copy-paste what Google Translate says "Rocket Kitten" is in Persian, but the website won't let me.  It's just as well; I've no idea how to pronounce it anyway.  ;)
BertrandW414
50%
50%
BertrandW414,
User Rank: Strategist
9/2/2015 | 3:50:16 PM
That Cute Name
The name is "Rocket Kitten"? That's hilarious and adorable. Maybe that name sounds more menacing in Farsi. :-)
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-30481
PUBLISHED: 2021-04-10
Valve Steam through 2021-04-10, when a Source engine game is installed, allows remote authenticated users to execute arbitrary code because of a buffer overflow that occurs for a Steam invite after one click.
CVE-2021-20020
PUBLISHED: 2021-04-10
A command execution vulnerability in SonicWall GMS 9.3 allows a remote unauthenticated attacker to locally escalate privilege to root.
CVE-2021-30480
PUBLISHED: 2021-04-09
Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat softw...
CVE-2021-21194
PUBLISHED: 2021-04-09
Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-21195
PUBLISHED: 2021-04-09
Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.