Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa.

Imperial Kitten APT Claws at Israeli Industry with Multiyear Spy Effort

The Iran-linked group uses redirected websites to compromise victims and exfiltrate data in a campaign that has lasted over 2022 and 2023.

Dark Reading Staff, Dark Reading

November 9, 2023

1 Min Read
Striped cat sitting atop a royal purple cushion wearing a jeweled tiara or crown
Source: Fresh Start Images via Alamy Stock Photo

A group with links to Iran has been conducting watering-hole attacks against Israeli transportation, logistics, and technology sectors over the last two years, an investigation has uncovered.

According to research by CrowdStrike released today, the cyber-espionage attacks were conducted by a state-sponsored advanced persistent threat (APT) named "Imperial Kitten" (aka Yellow Liderc, Tortoiseshell, TA456, and Crimson Sandstorm), which has previously targeted organizations in the Israeli maritime, transportation, and technology sectors. The group has suspected links to Iran's Islamic Revolutionary Guard Corps.

The watering-hole attacks involve what CrowdStrike called "strategic web compromise," where Imperial Kitten has infiltrated legitimate sites in order to redirect website visitors to attacker-controlled locations that phish personal information and credentials. The data is then sent to a hardcoded domain and used for follow-on attacks. The compromised websites were primarily Israeli.

Imperial Kitten targets specific victims, such as IT service providers, for data exfiltration via strategic Web compromise. However, in some instances, the adversary directly serves malware to victims from the watering hole, and has mounted email campaigns involving used malicious Microsoft Excel documents in phishing attacks as another piece of the campaign.

In the latter instance, the group actively uses scanning tools, stolen VPN credentials, and vulnerability exploits to gain access to their targets, then uses the PAExec utility for lateral movement, and finally leverages custom and open source malware for data exfiltration. 

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights