Cyberspies Impersonate Security Researcher

  /     /     /  
Publicated : 22/11/2024   Category : security


Cyberspies Impersonate Security Researcher


Rocket Kitten pro-Iranian regime hackers focusing more on targeting individuals for geopolitical espionage.



A cyber espionage group likely out of Iran turned the tables on a security researcher who may have gotten a little too close to its operation: the attackers posed as the researcher in a spear-phishing email.
The researcher, from ClearSky, has been tracking the hacking group, known as Rocket Kitten.
[The researcher] had infiltrated … and was able to pose as a person of interest in this group, and they had engaged with the researcher, says Jon Clay, senior global marketing manager for Trend Micro, which along with ClearSky today published
new findings on Rocket Kitten
. The spear-phishing email included a malicious link purportedly to a Trend Micro malware scanner.
The attackers first attempted to contact the ClearSky researcher via a phony Facebook profile, a ploy that ultimately failed. In late June, he learned that the attackers had sent a spear phishing email to one of their previous victims, Dr. Thamar E. Gindin, a lecturer on linguistics and pre-Islamic Iranian culture -- using his name as the purported sender. He had worked before Gindin while investigating Rocket Kittens hacking activities, so the attackers either somehow had obtained previous email correspondence between the two, or they knew of the researchers investigation into their operations.
I cant tell what the hackers motivation was to go after this individual [the ClearSky researcher]; it did give us some good information, Clay says. We see this often with underground [cybercrime] investigations: a researcher infiltrates a forum and starts to be able to speak with the threat actors, acting like a member of the group.
This latest targeted attack demonstrates how Rocket Kittens M.O. is now more about targeting individuals rather than organizations for the intel its after, according to Trend Micros findings. Thats a departure from its earlier days, where the cyber espionage group went after organizations mostly in policy research, diplomacy, international affairs, defense, security, journalism, and human rights groups in the Middle East. Their targets of late appear to be Iranian dissidents and Israelis, more clues that Rocket Kitten is an Iranian attack group whose purpose is intelligence about the individuals activities. Its classic espionage with a geopolitical twist, researchers say.
The interesting thing we found is that they shifted from going after organizations, to going after individuals associated with those organizations. They can then utilize this personalized data to get into the corporate data; they use that to leverage lateral movement inside the organization, Clay says. The goal is to steal the targeted individuals credentials, for example, to obtain a foothold in the targeted organization and move about legitimately.
ClearSky has counted some 550 targets, mostly in the Middle East. They are scientists, journalists, researchers, and sometimes expatriated Iranians living in Western countries. These facts suggest that Rocket Kitten may be engaging some sort of foreign political espionage campaign and may want to find regime-opponents active in driving policy in different ways, the Trend Micro and ClearSky report said. These people are professionally affiliated with the foreign policy and defense sectors and there is an interest in finding out who they are talking to and what kinds of action they support.
Rocket Kitten isnt considered highly sophisticated; it uses simple hacking tools they may have written as well as pilfered publicly available ones. Researchers from CrowdStrike and Cymmetria, along with the Israeli CERT, late last year discovered that the cyber espionage group had used Core Securitys penetration testing tool in their attacks.
While the Kitten group is doggedly persistent--they sometimes go after the same individual on a daily basis with different lures--they are known to make typos and grammatical errors that make them easy to spot, a characteristic often associated with cybercriminals. However, the attackers do make up for these disadvantages with persistence. Based on our research and profiling, we believe the members of the Rocket Kitten Group could be former cybercriminals who ventured into a new field for some unclear reason and so use some of the methods they used to. Many of their techniques are typically observed in criminal endeavors, the report said.
Trend Micros Clay says while identifying whos behind hacker groups is tough, Rocket Kittens targets appear to suggest its a pro-Iranian government entity. The big challenge has been measuring the groups hacking success: In a lot of cases, were just seeing the initial attempts, Clay says. We dont know what they are exfiltrating.

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Cyberspies Impersonate Security Researcher