Cyberspies Impersonate Security Researcher

infographic_hacker_update-gp-trans.png

A cyber espionage group thought to be from Iran turned the tables on a security researcher who may have gotten a little too close to its operation: the attackers posed as the researcher in a spear-phishing email.

The researcher, from ClearSky, has been tracking the hacking group, known as Rocket Kitten.

"The researcher had infiltrated … and was able to pose as a person of interest in this group, and they had engaged" with the researcher, says Jon Clay, senior global marketing manager for Trend Micro, which along with ClearSky today published new findings on Rocket Kitten. The spear-phishing email included a malicious link purportedly to a Trend Micro malware scanner.

The attackers first attempted to contact the ClearSky researcher via a phony Facebook profile, a ploy that ultimately failed. In late June, he learned that the attackers had sent a spear phishing email to one of their previous victims, Dr. Thamar E. Gindin, a lecturer on linguistics and pre-Islamic Iranian culture -- using his name as the purported sender. He had worked before Gindin while investigating Rocket Kitten's hacking activities, so the attackers either somehow had obtained previous email correspondence between the two, or they knew of the researcher's investigation into their operations.
"I can't tell what the hackers' motivation was to go after this individual [the ClearSky researcher]; it did give us some good information," Clay says. "We see this often with underground [cybercrime] investigations: a researcher infiltrates a forum and starts to be able to speak with the threat actors, acting like a member of the group."

This latest targeted attack demonstrates how Rocket Kitten's M.O. is now more about targeting individuals rather than organizations for the intel it's after, according to Trend Micro's findings. That's a departure from its earlier days, where the cyber espionage group went after organizations mostly in policy research, diplomacy, international affairs, defense, security, journalism, and human rights groups in the Middle East. Their targets of late appear to be Iranian dissidents and Israelis, more clues that Rocket Kitten is an Iranian attack group whose purpose is intelligence about the individual's activities. It's classic espionage with a geopolitical twist, researchers say.
"The interesting thing we found is that they shifted from going after organizations, to going after individuals associated with those organizations. They can then utilize this personalized data to get into the corporate data; they use that to leverage lateral movement inside the organization," Clay says. The goal is to steal the targeted individual's credentials, for example, to obtain a foothold in the targeted organization and move about "legitimately."

ClearSky has counted some 550 targets, mostly in the Middle East. "They are scientists, journalists, researchers, and sometimes expatriated Iranians living in Western countries. These facts suggest that Rocket Kitten may be engaging some sort of foreign political espionage campaign and may want to find regime-opponents active in driving policy in different ways," the Trend Micro and ClearSky report said. "These people are professionally affiliated with the foreign policy and defense sectors and there is an interest in finding out who they are talking to and what kinds of action they support."

Rocket Kitten isn't considered highly sophisticated; it uses simple hacking tools they may have written as well as pilfered publicly available ones. Researchers from CrowdStrike and Cymmetria, along with the Israeli CERT, late last year discovered that the cyber espionage group had used Core Security's penetration testing tool in their attacks.

While the Kitten group is doggedly persistent--they sometimes go after the same individual on a daily basis with different lures--they are known to make typos and grammatical errors that make them easy to spot, a characteristic often associated with cybercriminals. "However, the attackers do make up for these disadvantages with persistence. Based on our research and profiling, we believe the members of the Rocket Kitten Group could be former cybercriminals who ventured into a new field for some unclear reason and so use some of the methods they used to. Many of their techniques are typically observed in criminal endeavors," the report said.

Trend Micro's Clay says while identifying who's behind hacker groups is "tough," Rocket Kitten's targets appear to suggest it's a pro-Iranian government entity. The big challenge has been measuring the group's hacking success: "In a lot of cases, we're just seeing the initial attempts," Clay says. "We don't know what they are exfiltrating."

Dark Reading:

 

« NSA Gives $300,000 for a Safer Internet of Things
Cognitive Computing: What Can and Can’t Be Done. »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Identity Theft Resource Center (ITRC)

Identity Theft Resource Center (ITRC)

ITRC is a non-profit organization established to empower and guide consumers, victims, business and government to minimize risk and mitigate the impact of identity compromise and crime.

TWNCERT

TWNCERT

TWNCERT is the National Computer Emergency Response Team of Taiwan.

IntSights

IntSights

IntSights is an intelligence driven security provider offering rapid, accurate cyberthreat intelligence and incident mitigation in real time

Niksun

Niksun

Niksun's forensics-based cyber security and network performance monitoring products provide customers with actionable insight into security threats, performance issues, and compliance risks.

Quick Heal Technologies

Quick Heal Technologies

Quick Heal Technologies is a leading IT security solutions provider focused on endpoint and network security solutions.

SEC Consult

SEC Consult

SEC Consult is a leading European consultancy for application security services and information security.

Mitre ATT&CK

Mitre ATT&CK

MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.

Lightspin

Lightspin

Lightspin is a contextual cloud security platform that continuously visualizes, detects, prioritized, and prevents any threat to your cloud stack.

CyberHunter Solutions

CyberHunter Solutions

CyberHunter is a leading website security company that provides penetration testing, Network Vulnerability Assessments, cyber security consulting services to prevent cyber attacks.

Intracom Telecom

Intracom Telecom

Intracom Telecom is a global telecommunication systems & solutions vendor offering a complete range of professional services and solutions including Information Security.

Condition Zebra

Condition Zebra

Condition Zebra has wide experience in providing IT Security Services, Training, and Certification in the field of cybersecurity.

Lucata

Lucata

Lucata solutions support groundbreaking graph analytics and improved machine learning for organizations in financial services, cybersecurity, healthcare, pharmaceuticals, telecommunications and more.

CrossCountry Consulting

CrossCountry Consulting

CrossCountry Consulting is a trusted business advisory firm that provides customized finance, accounting, human capital management, risk, operations and technology consulting services.

RecoLabs

RecoLabs

Reco’s proprietary AI technology dynamically maps business interactions within your collaboration tools to identify sensitive assets shared and uncover incidents that are relevant to your business.

Hadrian

Hadrian

Hadrian is modernizing offensive security practices with automation, making them faster and more scalable. Equipped with the hacker’s perspective, companies can now know what their critical risks are.

Strategic Security Solutions (S3)

Strategic Security Solutions (S3)

S3 is a leading provider of Cybersecurity consulting services for Identity and Access Governance (IAG), Zero Trust, and Enterprise Risk and Compliance.